xss mitigation & test

internal/models/bank_account.go

@@ -6,8 +6,8 @@ type BankAccount struct {
 	CreatedAt         time.Time
 	UpdatedAt         time.Time
 	MandateDateSigned time.Time `gorm:"not null"` // json:"mandate_date_signed"`
-	Bank              string    //`json:"bank_name" validate:"omitempty,alphanumunicode"`
-	AccountHolderName string    //`json:"account_holder_name" validate:"omitempty,alphaunicode"`
+	Bank              string    //`json:"bank_name" validate:"omitempty,alphanumunicode,safe_content"`
+	AccountHolderName string    //`json:"account_holder_name" validate:"omitempty,alphaunicode,safe_content"`
 	IBAN              string    `gorm:"not null" json:"iban" validate:"required,iban"`
 	BIC               string    //`json:"bic" validate:"omitempty,bic"`
 	MandateReference  string    `gorm:"not null"` //json:"mandate_reference"`

internal/models/consents.go

@@ -5,10 +5,10 @@ import "time"
 type Consent struct {
 	CreatedAt   time.Time
 	UpdatedAt   time.Time
-	FirstName   string `gorm:"not null" json:"first_name"`
-	LastName    string `gorm:"not null" json:"last_name"`
-	Email       string `json:"email"`
-	ConsentType string `gorm:"not null" json:"consent_type"`
+	FirstName   string `gorm:"not null" json:"first_name" validate:"safe_content"`
+	LastName    string `gorm:"not null" json:"last_name" validate:"safe_content"`
+	Email       string `json:"email" validate:"email,safe_content"`
+	ConsentType string `gorm:"not null" json:"consent_type" validate:"safe_content"`
 	ID          int64  `gorm:"primaryKey"`
 	UserID      int64  `gorm:"not null" json:"user_id"`
 }

internal/models/membership.go

@@ -7,7 +7,7 @@ type Membership struct {
 	UpdatedAt           time.Time
 	StartDate           time.Time         `json:"start_date"`
 	EndDate             time.Time         `json:"end_date"`
-	Status              string            `json:"status"`
+	Status              string            `json:"status" validate:"safe_content"`
 	SubscriptionModel   SubscriptionModel `gorm:"foreignKey:SubscriptionModelID" json:"subscription_model"`
 	ParentMembershipID  int64             `json:"parent_member_id" validate:"omitempty,omitnil,number"`
 	SubscriptionModelID int64             `json:"subsription_model_id"`

internal/models/subscription_model.go

@@ -7,13 +7,13 @@ import (
 type SubscriptionModel struct {
 	CreatedAt               time.Time
 	UpdatedAt               time.Time
-	Name                    string  `json:"name" validate:"required,subscriptionModel"`
+	Name                    string  `gorm:"unique" json:"name" validate:"required,subscriptionModel,safe_content"`
 	Details                 string  `json:"details" validate:"required"`
 	Conditions              string  `json:"conditions"`
 	RequiredMembershipField string  `json:"required_membership_field" validate:"membershipField"`
 	ID                      int64   `gorm:"primaryKey"`
-	MonthlyFee              float32 `json:"monthly_fee" validate:"required,number"`
-	HourlyRate              float32 `json:"hourly_rate" validate:"required,number"`
-	IncludedPerYear         int16   `json:"included_hours_per_year" validate:"omitempty,number"`
-	IncludedPerMonth        int16   `json:"included_hours_per_month" validate:"omitempty,number"`
+	MonthlyFee              float32 `json:"monthly_fee" validate:"required,number,gte=0"`
+	HourlyRate              float32 `json:"hourly_rate" validate:"required,number,gte=0"`
+	IncludedPerYear         int16   `json:"included_hours_per_year" validate:"omitempty,number,gte=0"`
+	IncludedPerMonth        int16   `json:"included_hours_per_month" validate:"omitempty,number,gte=0"`
 }

internal/models/user.go

@@ -12,17 +12,17 @@ type User struct {
 	UpdatedAt      time.Time
 	DateOfBirth    time.Time `gorm:"not null" json:"date_of_birth" validate:"required,age"`
 	CreatedAt      time.Time
-	Company        string       `json:"company" validate:"omitempty,omitnil"`
-	Phone          string       `json:"phone" validate:"omitempty,omitnil"`
-	Notes          *string      `json:"notes"`
-	FirstName      string       `gorm:"not null" json:"first_name" validate:"required"`
-	Password       string       `json:"password" validate:"required_unless=RoleID 0"`
-	Email          string       `gorm:"unique;not null" json:"email" validate:"required,email"`
-	LastName       string       `gorm:"not null" json:"last_name" validate:"required"`
-	ProfilePicture string       `json:"profile_picture" validate:"omitempty,omitnil,image"`
-	Address        string       `gorm:"not null" json:"address" validate:"required"`
-	ZipCode        string       `gorm:"not null" json:"zip_code" validate:"required,alphanum"`
-	City           string       `form:"not null" json:"city" validate:"required,alphaunicode"`
+	Company        string       `json:"company" validate:"omitempty,omitnil,safe_content"`
+	Phone          string       `json:"phone" validate:"omitempty,omitnil,safe_content"`
+	Notes          *string      `json:"notes,safe_content"`
+	FirstName      string       `gorm:"not null" json:"first_name" validate:"required,safe_content"`
+	Password       string       `json:"password" validate:"required_unless=RoleID 0,safe_content"`
+	Email          string       `gorm:"unique;not null" json:"email" validate:"required,email,safe_content"`
+	LastName       string       `gorm:"not null" json:"last_name" validate:"required,safe_content"`
+	ProfilePicture string       `json:"profile_picture" validate:"omitempty,omitnil,image,safe_content"`
+	Address        string       `gorm:"not null" json:"address" validate:"required,safe_content"`
+	ZipCode        string       `gorm:"not null" json:"zip_code" validate:"required,alphanum,safe_content"`
+	City           string       `form:"not null" json:"city" validate:"required,alphaunicode,safe_content"`
 	Consents       []Consent    `gorm:"constraint:OnUpdate:CASCADE"`
 	BankAccount    BankAccount  `gorm:"constraint:OnUpdate:CASCADE,OnDelete:CASCADE;" json:"bank_account"`
 	Verification   Verification `gorm:"constraint:OnUpdate:CASCADE,OnDelete:CASCADE;"`