xss mitigation & test

internal/utils/validators.go

@@ -7,7 +7,9 @@ import (
 	"GoMembership/internal/models"
 	"GoMembership/pkg/logger"
 	"reflect"
+	"regexp"
 	"slices"
+	"strings"
 	"time"
 
 	"github.com/go-playground/validator/v10"
@@ -15,19 +17,24 @@ import (
 	"github.com/jbub/banking/swift"
 )
 
-//
-// func IsEmailValid(email string) bool {
-// 	regex := `^[a-z0-9._%+\-]+@[a-z0-9.\-]+\.[a-z]{2,}$`
-// 	re := regexp.MustCompile(regex)
-// 	return re.MatchString(email)
-// }
+var xssPatterns = []*regexp.Regexp{
+	regexp.MustCompile(`(?i)<script`),
+	regexp.MustCompile(`(?i)javascript:`),
+	regexp.MustCompile(`(?i)on\w+\s*=`),
+	regexp.MustCompile(`(?i)(vbscript|data):`),
+	regexp.MustCompile(`(?i)<(iframe|object|embed|applet)`),
+	regexp.MustCompile(`(?i)expression\s*\(`),
+	regexp.MustCompile(`(?i)url\s*\(`),
+	regexp.MustCompile(`(?i)<\?`),
+	regexp.MustCompile(`(?i)<%`),
+	regexp.MustCompile(`(?i)<!\[CDATA\[`),
+	regexp.MustCompile(`(?i)<(svg|animate)`),
+	regexp.MustCompile(`(?i)<(audio|video|source)`),
+	regexp.MustCompile(`(?i)base64`),
+}
 
 func AgeValidator(fl validator.FieldLevel) bool {
 	fieldValue := fl.Field()
-	// Ensure the field is of type time.Time
-	// if fieldValue.Kind() != reflect.Struct || !fieldValue.Type().ConvertibleTo(reflect.TypeOf(time.Time{})) {
-	// 	return false
-	// }
 	dateOfBirth := fieldValue.Interface().(time.Time)
 	now := time.Now()
 	age := now.Year() - dateOfBirth.Year()
@@ -113,3 +120,13 @@ func BICValidator(fl validator.FieldLevel) bool {
 
 	return swift.Validate(fieldValue) == nil
 }
+
+func ValidateSafeContent(fl validator.FieldLevel) bool {
+	input := strings.ToLower(fl.Field().String())
+	for _, pattern := range xssPatterns {
+		if pattern.MatchString(input) {
+			return false
+		}
+	}
+	return true
+}