Jason Woltje
01639fff95
feat(#285): Add input sanitization for XSS prevention
Security improvements:
- Create sanitization utility using sanitize-html library
- Add @Sanitize() and @SanitizeObject() decorators for DTOs
- Apply sanitization to vulnerable fields:
- Connection rejection/disconnection reasons
- Connection metadata
- Identity linking metadata
- Command payloads
- Remove script tags, event handlers, javascript: URLs
- Prevent data exfiltration, CSS-based XSS, SVG-based XSS
Changes:
- Add sanitize.util.ts with recursive sanitization functions
- Add sanitize.decorator.ts for class-transformer integration
- Update connection.dto.ts with sanitization decorators
- Update identity-linking.dto.ts with sanitization decorators
- Update command.dto.ts with sanitization decorators
- Add comprehensive test coverage including attack vectors
Part of M7.1 Remediation Sprint P1 security fixes.
Fixes #285
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>