Skip to content

hotfix: sanitize public form submission data to prevent stored XSS#700

Merged
lane711 merged 1 commit intomainfrom
merge-pr-671-xss-sanitization
Mar 26, 2026
Merged

hotfix: sanitize public form submission data to prevent stored XSS#700
lane711 merged 1 commit intomainfrom
merge-pr-671-xss-sanitization

Conversation

@lane711
Copy link
Copy Markdown
Collaborator

@lane711 lane711 commented Mar 26, 2026

Summary

Cherry-picked from #671 by @mmcintosh

Security hotfix: prevents stored XSS via unauthenticated public form submissions. The public form submission endpoint stored arbitrary JSON from anonymous users without sanitization, allowing <script> tags to execute with admin session cookies when viewing submissions.

Changes

  • Added sanitizeDeep() — recursively HTML-encodes all string values in arbitrary nested JSON before storage
  • 5 new unit tests covering script tags, nested objects, arrays, primitives, and event handler injection patterns

Attribution

Changes by Maintainer

  • No additional changes needed — type-check and all tests passed cleanly

Closes #671

🤖 Generated with Claude Code

@mmcintosh @lane711
fix: sanitize public form submission data to prevent stored XSS
5a5d7ba 
Form submissions from unauthenticated users were stored with raw
string values, allowing script injection payloads to execute when
admins view submissions. Add recursive sanitizeDeep() that HTML-encodes
all string values in the arbitrary submission JSON before storage.
@lane711 lane711 merged commit fbc9b26 into main Mar 26, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lane711 @mmcintosh