/** * Advanced Input Validation and Sanitization Framework * Comprehensive solution for client-side and server-side input security */ class InputSecurityFramework { constructor(config = {}) { this.config = { // Validation modes strictMode: config.strictMode !== false, allowEmptyStrings: config.allowEmptyStrings || false, trimInputs: config.trimInputs !== false, // Security settings maxInputLength: config.maxInputLength || 10000, maxNestingDepth: config.maxNestingDepth || 10, enableSqlInjectionDetection: config.enableSqlInjectionDetection !== false, enableXssDetection: config.enableXssDetection !== false, enableCommandInjectionDetection: config.enableCommandInjectionDetection !== false, // Sanitization options htmlSanitization: { allowedTags: config.htmlSanitization?.allowedTags || ['p', 'br', 'strong', 'em', 'u'], allowedAttributes: config.htmlSanitization?.allowedAttributes || ['class', 'id'], removeScript: config.htmlSanitization?.removeScript !== false, removeStyle: config.htmlSanitization?.removeStyle !== false }, // Custom validation rules customRules: config.customRules || {}, // Performance settings enableCaching: config.enableCaching !== false, cacheSize: config.cacheSize || 1000, ...config }; // Internal state this.validationCache = new Map(); this.securityPatterns = this.initializeSecurityPatterns(); this.validators = this.initializeValidators(); this.sanitizers = this.initializeSanitizers(); // Statistics this.stats = { validationsPerformed: 0, validationsFailed: 0, securityThreatsDetected: 0, sanitizationsPerformed: 0 }; } // Security Pattern Initialization initializeSecurityPatterns() { return { // XSS Detection Patterns xss: [ /]*>.*?<\/script>/gi, /javascript:/gi, /on\w+\s*=/gi, /]*>/gi, /]*>/gi, /]*>/gi, /]*>/gi, /]*>/gi, /expression\s*$/gi, /url\s*\(/gi, /@import/gi, /vbscript:/gi ], // SQL Injection Patterns sqlInjection: [ /(\bunion\b|\bselect\b|\binsert\b|\bupdate\b|\bdelete\b|\bdrop\b|\bcreate\b|\balter\b)/gi, /(\bor\b|\band\b)\s+[\w\s]*\s*[=<>]/gi, /['"][\s]*;[\s]*--/gi, /\/\*.*?\*\//gi, /((\%27)|'|(\%3D)|=)[^\n]*((\%6F)|o|(\%4F))((\%72)|r|(\%52))/gi, /exec\s*\(/gi, /xp_cmdshell/gi ], // Command Injection Patterns commandInjection: [ /[\|&;`'\"\$\($]/g, /\.\.[\/\\]/g, /(wget|curl|nc|netcat|telnet|ssh|ftp)/gi, /(cat|less|more|head|tail)\s+/gi, /(rm|del|format|fdisk)\s+/gi, /(\n|\r\n|\r)\s*(cd|ls|dir|pwd)/gi ], // Path Traversal Patterns pathTraversal: [ /\.\.[\/\\]/g, /%2e%2e[\/\\]/gi, /\.%2f/gi, /%252f/gi, /\.\.\\/g, /\.\.%5c/gi ], // LDAP Injection Patterns ldapInjection: [ /[\|\&\!]/g, /\*[^=]*=/g, /=[^)]*\)/g ] }; } // Validator Initialization initializeValidators() { return { // Basic Data Type Validators string: (value, options = {}) => { if (typeof value !== 'string') return false; const len = value.length; if (options.minLength && len < options.minLength) return false; if (options.maxLength && len > options.maxLength) return false; if (options.pattern && !options.pattern.test(value)) return false; if (options.allowedChars && ![...value].every(char => options.allowedChars.includes(char))) return false; return true; }, number: (value, options = {}) => { const num = Number(value); if (isNaN(num)) return false; if (options.min !== undefined && num < options.min) return false; if (options.max !== undefined && num > options.max) return false; if (options.integer && !Number.isInteger(num)) return false; return true; }, boolean: (value) => { return typeof value === 'boolean' || value === 'true' || value === 'false'; }, // Advanced Validators email: (value) => { const emailPattern = /^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$/; return emailPattern.test(value); }, url: (value, options = {}) => { try { const url = new URL(value); if (options.allowedProtocols && !options.allowedProtocols.includes(url.protocol.slice(0, -1))) { return false; } if (options.allowedDomains && !options.allowedDomains.some(domain => url.hostname.endsWith(domain))) { return false; } return true; } catch { return false; } }, phone: (value, options = {}) => { const phonePattern = options.pattern || /^[\+]?[1-9][\d]{0,15}$/; return phonePattern.test(value.replace(/[\s\-]/g, '')); }, creditCard: (value) => { // Luhn algorithm const digits = value.replace(/\D/g, ''); let sum = 0; let isEvenIndex = false; for (let i = digits.length - 1; i >= 0; i--) { let digit = parseInt(digits.charAt(i), 10); if (isEvenIndex) { digit *= 2; if (digit > 9) { digit -= 9; } } sum += digit; isEvenIndex = !isEvenIndex; } return sum % 10 === 0; }, ipAddress: (value, options = {}) => { const ipv4Pattern = /^(\d{1,3}\.){3}\d{1,3}$/; const ipv6Pattern = /^([0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}$/; if (options.version === 'v4') return ipv4Pattern.test(value); if (options.version === 'v6') return ipv6Pattern.test(value); return ipv4Pattern.test(value) || ipv6Pattern.test(value); }, // File Validators filename: (value, options = {}) => { const invalidChars = /[<>:"/\\|?*\x00-\x1f]/g; if (invalidChars.test(value)) return false; if (options.allowedExtensions) { const ext = value.split('.').pop().toLowerCase(); return options.allowedExtensions.includes(ext); } return true; }, // Security-Specific Validators noSqlInjection: (value) => { return !this.detectThreat(value, 'sqlInjection'); }, noXss: (value) => { return !this.detectThreat(value, 'xss'); }, noCommandInjection: (value) => { return !this.detectThreat(value, 'commandInjection'); }, noPathTraversal: (value) => { return !this.detectThreat(value, 'pathTraversal'); } }; } // Sanitizer Initialization initializeSanitizers() { return { // HTML Sanitization html: (input, options = {}) => { let sanitized = input; // Remove script tags if (options.removeScript !== false) { sanitized = sanitized.replace(/]*>.*?<\/script>/gi, ''); } // Remove style tags if (options.removeStyle !== false) { sanitized = sanitized.replace(/]*>.*?<\/style>/gi, ''); } // Remove dangerous attributes sanitized = sanitized.replace(/on\w+\s*=\s*["'][^"']*["']/gi, ''); sanitized = sanitized.replace(/javascript:/gi, ''); sanitized = sanitized.replace(/vbscript:/gi, ''); // Encode HTML entities sanitized = sanitized .replace(/&/g, '&') .replace(//g, '>') .replace(/"/g, '"') .replace(/'/g, ''') .replace(/\//g, '/'); return sanitized; }, // SQL Sanitization (Parameter Binding) sql: (input, options = {}) => { if (typeof input !== 'string') return input; // Escape single quotes return input.replace(/'/g, "''"); }, // JavaScript String Sanitization javascript: (input) => { return input .replace(/\\/g, '\\\\') .replace(/'/g, "\\'") .replace(/"/g, '\\"') .replace(/\n/g, '\\n') .replace(/\r/g, '\\r') .replace(/\t/g, '\\t'); }, // URL Component Sanitization url: (input, options = {}) => { if (options.component === 'query') { return encodeURIComponent(input); } else if (options.component === 'path') { return encodeURI(input); } return encodeURI(input); }, // File Path Sanitization filepath: (input) => { return input .replace(/\.\.[\/\\]/g, '') .replace(/[<>:"|?*\x00-\x1f]/g, '') .replace(/^[\/\\]+/, '') .replace(/[\/\\]+$/, ''); }, // Command Line Sanitization shell: (input) => { // Remove dangerous characters return input.replace(/[\|&;`'\"\$<>]/g, ''); }, // XML Sanitization xml: (input) => { return input .replace(/&/g, '&') .replace(//g, '>') .replace(/"/g, '"') .replace(/'/g, '''); }, // LDAP Sanitization ldap: (input) => { return input .replace(/\\/g, '\\5c') .replace(/\*/g, '\\2a') .replace(/$/g, '\\28') .replace(/$/g, '\\29') .replace(/\x00/g, '\\00'); } }; } // Threat Detection detectThreat(input, threatType) { if (!this.securityPatterns[threatType]) { return false; } const patterns = this.securityPatterns[threatType]; return patterns.some(pattern => pattern.test(input)); } // Comprehensive Security Scan performSecurityScan(input) { const threats = []; for (const [threatType, patterns] of Object.entries(this.securityPatterns)) { if (patterns.some(pattern => pattern.test(input))) { threats.push(threatType); } } if (threats.length > 0) { this.stats.securityThreatsDetected++; } return threats; } // Main Validation Method validate(input, schema, context = {}) { try { this.stats.validationsPerformed++; // Check cache first const cacheKey = this.generateCacheKey(input, schema); if (this.config.enableCaching && this.validationCache.has(cacheKey)) { return this.validationCache.get(cacheKey); } const result = this.validateValue(input, schema, context); // Cache successful validations if (this.config.enableCaching && result.isValid) { this.addToCache(cacheKey, result); } if (!result.isValid) { this.stats.validationsFailed++; } return result; } catch (error) { this.stats.validationsFailed++; return { isValid: false, errors: [`Validation error: ${error.message}`], sanitized: input }; } } validateValue(input, schema, context, path = '') { const result = { isValid: true, errors: [], warnings: [], sanitized: input, threats: [] }; // Handle null/undefined if (input == null) { if (schema.required) { result.isValid = false; result.errors.push(`${path || 'Value'} is required`); } return result; } // Pre-processing if (this.config.trimInputs && typeof input === 'string') { input = input.trim(); result.sanitized = input; } // Length validation if (typeof input === 'string' && input.length > this.config.maxInputLength) { result.isValid = false; result.errors.push(`${path || 'Input'} exceeds maximum length of ${this.config.maxInputLength}`); return result; } // Security threat detection if (typeof input === 'string') { const threats = this.performSecurityScan(input); if (threats.length > 0) { result.threats = threats; if (this.config.strictMode) { result.isValid = false; result.errors.push(`Security threat detected: ${threats.join(', ')}`); } else { result.warnings.push(`Potential security threat: ${threats.join(', ')}`); } } } // Type validation if (schema.type) { const validator = this.validators[schema.type]; if (validator && !validator(input, schema.options)) { result.isValid = false; result.errors.push(`${path || 'Value'} is not a valid ${schema.type}`); return result; } } // Custom validation rules if (schema.custom) { for (const [ruleName, ruleConfig] of Object.entries(schema.custom)) { const customValidator = this.config.customRules[ruleName]; if (customValidator) { const customResult = customValidator(input, ruleConfig); if (!customResult.isValid) { result.isValid = false; result.errors.push(...customResult.errors); } } } } // Sanitization if (schema.sanitize) { for (const [sanitizer, options] of Object.entries(schema.sanitize)) { const sanitizerFn = this.sanitizers[sanitizer]; if (sanitizerFn) { result.sanitized = sanitizerFn(result.sanitized, options); this.stats.sanitizationsPerformed++; } } } // Nested object validation if (schema.properties && typeof input === 'object') { result.sanitized = {}; for (const [key, subSchema] of Object.entries(schema.properties)) { const subResult = this.validateValue(input[key], subSchema, context, `${path}.${key}`); if (!subResult.isValid) { result.isValid = false; result.errors.push(...subResult.errors); } result.warnings.push(...subResult.warnings); result.threats.push(...subResult.threats); result.sanitized[key] = subResult.sanitized; } } // Array validation if (schema.items && Array.isArray(input)) { result.sanitized = []; input.forEach((item, index) => { const subResult = this.validateValue(item, schema.items, context, `${path}[${index}]`); if (!subResult.isValid) { result.isValid = false; result.errors.push(...subResult.errors); } result.warnings.push(...subResult.warnings); result.threats.push(...subResult.threats); result.sanitized.push(subResult.sanitized); }); } return result; } // Sanitization Methods sanitize(input, sanitizers, options = {}) { let result = input; for (const sanitizer of sanitizers) { const sanitizerFn = this.sanitizers[sanitizer]; if (sanitizerFn) { result = sanitizerFn(result, options[sanitizer]); this.stats.sanitizationsPerformed++; } } return result; } // Context-Aware Sanitization sanitizeForContext(input, context) { switch (context) { case 'html': return this.sanitizers.html(input); case 'html-attribute': return this.sanitizers.html(input, { strictAttributeMode: true }); case 'javascript': return this.sanitizers.javascript(input); case 'sql': return this.sanitizers.sql(input); case 'url': return this.sanitizers.url(input); case 'css': return input.replace(/[<>'"]/g, ''); case 'json': return JSON.stringify(input); default: return this.sanitizers.html(input); } } // Batch Validation validateBatch(inputs, schemas) { const results = []; for (let i = 0; i < inputs.length; i++) { const input = inputs[i]; const schema = schemas[i] || schemas[0]; // Use first schema as fallback results.push(this.validate(input, schema)); } return { results, allValid: results.every(r => r.isValid), errors: results.flatMap(r => r.errors), warnings: results.flatMap(r => r.warnings), threats: [...new Set(results.flatMap(r => r.threats))], sanitized: results.map(r => r.sanitized) }; } // Schema Builder Helpers static schema() { return new SchemaBuilder(); } // Utility Methods generateCacheKey(input, schema) { return `${JSON.stringify(input)}_${JSON.stringify(schema)}`; } addToCache(key, result) { if (this.validationCache.size >= this.config.cacheSize) { const firstKey = this.validationCache.keys().next().value; this.validationCache.delete(firstKey); } this.validationCache.set(key, result); } getStats() { return { ...this.stats }; } clearCache() { this.validationCache.clear(); } } // Schema Builder Class class SchemaBuilder { constructor() { this.schema = {}; } type(type) { this.schema.type = type; return this; } required(required = true) { this.schema.required = required; return this; } options(options) { this.schema.options = options; return this; } sanitize(sanitizers) { this.schema.sanitize = sanitizers; return this; } custom(rules) { this.schema.custom = rules; return this; } properties(properties) { this.schema.properties = properties; return this; } items(itemSchema) { this.schema.items = itemSchema; return this; } build() { return this.schema; } } // Usage Examples const validator = new InputSecurityFramework({ strictMode: true, maxInputLength: 5000, htmlSanitization: { allowedTags: ['p', 'br', 'strong', 'em'], allowedAttributes: ['class'] } }); // Basic validation examples const userInputSchema = InputSecurityFramework.schema() .type('string') .required() .options({ minLength: 3, maxLength: 100 }) .sanitize({ html: {}, javascript: {} }) .build(); const emailSchema = InputSecurityFramework.schema() .type('email') .required() .sanitize({ html: {} }) .build(); // Validate user input const userResult = validator.validate('Hello World', userInputSchema); console.log('User input validation:', userResult); // Validate email const emailResult = validator.validate('user@example.com', emailSchema); console.log('Email validation:', emailResult); // Complex object validation const userProfileSchema = InputSecurityFramework.schema() .properties({ name: InputSecurityFramework.schema() .type('string') .required() .options({ minLength: 2, maxLength: 50 }) .sanitize({ html: {} }) .build(), email: InputSecurityFramework.schema() .type('email') .required() .sanitize({ html: {} }) .build(), age: InputSecurityFramework.schema() .type('number') .options({ min: 0, max: 120, integer: true }) .build(), website: InputSecurityFramework.schema() .type('url') .options({ allowedProtocols: ['http', 'https'] }) .sanitize({ url: {} }) .build() }) .build(); const userProfile = { name: 'John Doe', email: 'john@example.com', age: 30, website: 'https://johndoe.com' }; const profileResult = validator.validate(userProfile, userProfileSchema); console.log('Profile validation:', profileResult); // Batch validation const inputs = ['test1', 'test2', 'test3']; const schema = InputSecurityFramework.schema() .type('string') .options({ minLength: 3 }) .build(); const batchResult = validator.validateBatch(inputs, [schema]); console.log('Batch validation:', batchResult); // Context-aware sanitization const htmlContent = '

Hello World

'; const sanitizedForHtml = validator.sanitizeForContext(htmlContent, 'html'); const sanitizedForJs = validator.sanitizeForContext(htmlContent, 'javascript'); console.log('HTML sanitized:', sanitizedForHtml); console.log('JS sanitized:', sanitizedForJs); // Security threat detection const maliciousInput = "'; DROP TABLE users; --"; const threats = validator.performSecurityScan(maliciousInput); console.log('Detected threats:', threats); // Get statistics console.log('Validation statistics:', validator.getStats()); export { InputSecurityFramework, SchemaBuilder };

Input Validation and Sanitization

Written by Rahul Aher