Skip to content

fix(security): prevent XSS attacks and URL injection vulnerabilities#2

Open
awara-coder wants to merge 1 commit intomainfrom
fix/security-vulnerabilities
Open

fix(security): prevent XSS attacks and URL injection vulnerabilities#2
awara-coder wants to merge 1 commit intomainfrom
fix/security-vulnerabilities

Conversation

@awara-coder
Copy link
Copy Markdown
Owner

@awara-coder awara-coder commented Dec 18, 2025

Critical security improvements to eliminate XSS and CSP bypass vulnerabilities.

Changes:

  1. Added validator.js utility with URL and email validation

    • isValidUrl(): Validates URLs against allowed protocols (http/https/mailto)
    • sanitizeUrl(): Returns safe URL or '#' fallback
    • isValidEmail(): Basic email format validation

  2. Fixed inline event handler in experience.js (CSP bypass)

    • Removed onerror="this.remove()" inline handler
    • Replaced with addEventListener for proper error handling
    • Prevents Content Security Policy bypass

  3. Applied URL sanitization to projects.js

    • Sanitized project.link before href assignment
    • Sanitized project.github before href assignment
    • Prevents javascript: and data: URL injection

Security Impact:

  • Eliminates inline event handler CSP bypass vulnerability
  • Prevents javascript: URL injection attacks
  • Validates all external URLs before use in href attributes
  • Adds defense-in-depth for URL-based XSS vectors

Testing:

  • Malicious URLs (javascript:alert(1)) now sanitized to '#'
  • Only http/https/mailto protocols allowed
  • Relative paths (/, #) still supported

🤖 Generated with Claude Code

@awara-coder @claude
fix(security): prevent XSS attacks and URL injection vulnerabilities
506004d 
Critical security improvements to eliminate XSS and CSP bypass vulnerabilities.

Changes:
1. Added validator.js utility with URL and email validation
   - isValidUrl(): Validates URLs against allowed protocols (http/https/mailto)
   - sanitizeUrl(): Returns safe URL or '#' fallback
   - isValidEmail(): Basic email format validation

2. Fixed inline event handler in experience.js (CSP bypass)
   - Removed onerror="this.remove()" inline handler
   - Replaced with addEventListener for proper error handling
   - Prevents Content Security Policy bypass

3. Applied URL sanitization to projects.js
   - Sanitized project.link before href assignment
   - Sanitized project.github before href assignment
   - Prevents javascript: and data: URL injection

Security Impact:
- Eliminates inline event handler CSP bypass vulnerability
- Prevents javascript: URL injection attacks
- Validates all external URLs before use in href attributes
- Adds defense-in-depth for URL-based XSS vectors

Testing:
- Malicious URLs (javascript:alert(1)) now sanitized to '#'
- Only http/https/mailto protocols allowed
- Relative paths (/, #) still supported

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@awara-coder