admin/goodgo-platform
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d9cea3828e86d9f7087f8fc8054edaae2087a01a
goodgo-platform/apps/api/src/modules/inquiries/inquiries.module.ts
Ho Ngoc Hai 3287298592 feat(inquiries): sanitize HTML in inquiry message at application layer (TEC-2929) 
- Add SanitizeHtmlService (whitelist: b, i, br, p, a) using sanitize-html.
- Force rel="noopener noreferrer nofollow" and target="_blank" on anchors.
- Restrict URL schemes to http/https/mailto/tel; drop javascript: links.
- Wire sanitizer into CreateInquiryHandler before InquiryEntity.createNew.
- Register provider in InquiriesModule.
- Add unit tests: 7 for the service + 2 handler-level XSS payload tests
  (<script>...</script> and <img onerror=...> stripped).

Defense-in-depth complement to global SanitizeInputMiddleware so internal
command paths bypassing HTTP middleware (queues, imports) stay safe.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-04-20 10:47:22 +07:00

31 lines
1.3 KiB
TypeScript
Raw Blame History

import { Module } from '@nestjs/common';
import { CqrsModule } from '@nestjs/cqrs';
import { CreateInquiryHandler } from './application/commands/create-inquiry/create-inquiry.handler';
import { MarkInquiryReadHandler } from './application/commands/mark-inquiry-read/mark-inquiry-read.handler';
import { GetInquiriesByAgentHandler } from './application/queries/get-inquiries-by-agent/get-inquiries-by-agent.handler';
import { GetInquiriesByListingHandler } from './application/queries/get-inquiries-by-listing/get-inquiries-by-listing.handler';
import { SanitizeHtmlService } from './application/services/sanitize-html.service';
import { INQUIRY_REPOSITORY } from './domain/repositories/inquiry.repository';
import { PrismaInquiryRepository } from './infrastructure/repositories/prisma-inquiry.repository';
import { InquiriesController } from './presentation/controllers/inquiries.controller';
const CommandHandlers = [CreateInquiryHandler, MarkInquiryReadHandler];
const QueryHandlers = [
GetInquiriesByListingHandler,
GetInquiriesByAgentHandler,
];
@Module({
imports: [CqrsModule],
controllers: [InquiriesController],
providers: [
{ provide: INQUIRY_REPOSITORY, useClass: PrismaInquiryRepository },
SanitizeHtmlService,
...CommandHandlers,
...QueryHandlers,
],
exports: [INQUIRY_REPOSITORY],
})
export class InquiriesModule {}
Reference in New Issue View Git Blame Copy Permalink