Skip to content

VCST-4691: Add InputValidationOptions to prevent HTML/XSS injections#130

Merged
OlegoO merged 6 commits intodevfrom
fix/VCST-4713
Mar 17, 2026
Merged

VCST-4691: Add InputValidationOptions to prevent HTML/XSS injections#130
OlegoO merged 6 commits intodevfrom
fix/VCST-4713

Conversation

@OlegoO
Copy link
Contributor

@OlegoO OlegoO commented Mar 13, 2026
edited by vc-ci
Loading

Description

feat: Adds InputValidationOptions to prevent HTML/XSS injections by adding NameValidationPattern, toggles HTML tag rejection for non-name fields (username, phone, address fields), toggles broader script injection check for free-text fields (about, description, message).

The module includes server-side input validation to prevent stored XSS attacks. Validation is configurable via appsettings.json under FrontendSecurity:InputValidation:

{
  "FrontendSecurity": {
    "InputValidation": {
      "NameValidationPattern": "^[\\p{L}\\p{M}\\s'\\-\\.]+$",
      "OrganizationNameValidationPattern": "^[\\p{L}\\p{M}\\p{N}\\s'\\-\\.&#/,()]+$",
      "EnableNoHtmlTagsValidation": true,
      "EnableScriptInjectionValidation": true
    }
  }
}
Setting Default Description
NameValidationPattern ^[\p{L}\p{M}\s'\-\.]+$ Allow-list regex for person name fields (firstName, lastName, fullName). Permits Unicode letters, diacritics, spaces, apostrophes, hyphens, and dots. Set to empty string to disable.
OrganizationNameValidationPattern ^[\p{L}\p{M}\p{N}\s'\-\.&#/,()]+$ Allow-list regex for organization name fields. Additionally permits numbers, &, #, /, ,, (, ) for names like "3M", "AT&T", "H&M". Set to empty string to disable.
EnableNoHtmlTagsValidation true Rejects HTML tags (<...>) in non-name fields (username, phone, address lines, city). Set to false to disable.
EnableScriptInjectionValidation true Rejects script injection patterns (<script>, javascript:, vbscript:, data:text/html) in free-text fields (description). Set to false to disable.

MaxLength constraints are always enforced regardless of configuration.

References

QA-test:

Jira-link:

https://virtocommerce.atlassian.net/browse/VCST-4713
https://virtocommerce.atlassian.net/browse/VCST-4691

Artifact URL:

https://vc3prerelease.blob.core.windows.net/packages/VirtoCommerce.ProfileExperienceApiModule_3.1002.0-pr-130-9776.zip

Note

Medium Risk
Adds new validation rules that can cause previously accepted contact/org/account/address/registration inputs to be rejected, impacting user-facing flows if clients rely on permissive input. Behavior is configurable but now enforced by default on multiple command handlers.

Overview
Introduces configurable InputValidationOptions (bound from FrontendSecurity:InputValidation) to enforce allow-list name/org-name regexes, max lengths, and optional rejection of HTML tags and common script-injection patterns.

Wires these FluentValidation checks into write paths (CreateOrganization, UpdateOrganization, UpdateContact, UpdateMemberAddresses, UpdatePersonalData, and RegisterByInvitation) and adds dedicated validators + extension rules, with new unit tests and README documentation for configuration. Also suppresses a specific NuGet audit advisory (GHSA-rvv3-g6hj-g44x).

Written by Cursor Bugbot for commit 9776e82. This will update automatically on new commits. Configure here.

@OlegoO
VCST-4713: Added InputValidationOptions to prevent from HTML/XSS inje…
31d4bd1 
…ctions

feat: Adds InputValidationOptions to prevent from HTML/XSS injections by adding NameValidationPattern, toggle HTML tag rejection for non-name fields (username, phone, address fields), toggle broader script injection check for free-text fields (about, description, message).
@OlegoO OlegoO requested a review from a team as a code owner March 13, 2026 10:18
cursor[bot]
cursor bot reviewed Mar 13, 2026
View reviewed changes
@OlegoO OlegoO requested a review from ksavosteev March 13, 2026 10:34
vc-ci
vc-ci reviewed Mar 13, 2026
View reviewed changes
Copy link
Contributor

@vc-ci vc-ci left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Test Suite: Test Suites/Modules/module_Assets
Tests: 13
Failures: 0
Errors: 0
Time: 7.783
Timestamp: 13-03-2026T10:29:13

vc-ci
vc-ci reviewed Mar 13, 2026
View reviewed changes
Copy link
Contributor

@vc-ci vc-ci left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Test Suite: Test Suites/Modules/module_Assets
Tests: 13
Failures: 0
Errors: 0
Time: 7.825
Timestamp: 13-03-2026T10:41:09

@kutasinaelena kutasinaelena changed the title VCST-4713: Added InputValidationOptions to prevent from HTML/XSS injections VCST-4691: Added InputValidationOptions to prevent from HTML/XSS injections Mar 16, 2026
vc-ci
vc-ci reviewed Mar 17, 2026
View reviewed changes
Copy link
Contributor

@vc-ci vc-ci left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Test Suite: Test Suites/Modules/module_Assets
Tests: 13
Failures: 0
Errors: 0
Time: 7.785
Timestamp: 17-03-2026T07:14:30

@artem-dudarev artem-dudarev changed the title VCST-4691: Added InputValidationOptions to prevent from HTML/XSS injections VCST-4691: Add InputValidationOptions to prevent HTML/XSS injections Mar 17, 2026
vc-ci
vc-ci reviewed Mar 17, 2026
View reviewed changes
Copy link
Contributor

@vc-ci vc-ci left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Test Suite: Test Suites/Modules/module_Assets
Tests: 13
Failures: 0
Errors: 0
Time: 8.157
Timestamp: 17-03-2026T11:19:39

vc-ci
vc-ci reviewed Mar 17, 2026
View reviewed changes
Copy link
Contributor

@vc-ci vc-ci left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Test Suite: Test Suites/Modules/module_Assets
Tests: 13
Failures: 0
Errors: 0
Time: 7.91
Timestamp: 17-03-2026T11:36:51

@sonarqubecloud
Copy link

sonarqubecloud bot commented Mar 17, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
26 Accepted issues

Measures
0 Security Hotspots
37.4% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

cursor[bot]
cursor bot reviewed Mar 17, 2026
View reviewed changes
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

vc-ci
vc-ci reviewed Mar 17, 2026
View reviewed changes
Copy link
Contributor

@vc-ci vc-ci left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Test Suite: Test Suites/Modules/module_Assets
Tests: 13
Failures: 0
Errors: 0
Time: 8.363
Timestamp: 17-03-2026T12:44:41

@OlegoO OlegoO merged commit 6571e2d into dev Mar 17, 2026
17 of 19 checks passed
@OlegoO OlegoO deleted the fix/VCST-4713 branch March 17, 2026 14:37
OlegoO added a commit that referenced this pull request Mar 17, 2026
@OlegoO
VCST-4691: Add InputValidationOptions to prevent HTML/XSS injections (#…
5791b7c 
…130)
OlegoO added a commit that referenced this pull request Mar 17, 2026
@OlegoO
VCST-4691: Add InputValidationOptions to prevent HTML/XSS injections (#…
d092f28 
…130)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@artem-dudarev artem-dudarev artem-dudarev left review comments

@vc-ci vc-ci vc-ci left review comments

@cursor cursor[bot] cursor[bot] left review comments

@ksavosteev ksavosteev Awaiting requested review from ksavosteev

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@OlegoO @artem-dudarev @vc-ci