Security/Enchance: Implement CSP Headers & SVG Injection Prevention

[vib3withsimran]

Type: security
Level: advanced
Labels: gssoc26, type:security, hardening

Description:

The app currently lacks content security policy and strict SVG validation, leaving it vulnerable to XSS attacks through user input in profiles.

Security Risks

1. SVG Injection - Usernames/bios with special characters could break SVG structure
2. No CSP Headers - Missing Content-Security-Policy allows inline scripts
3. Insufficient Escaping - Some user data may not be fully sanitized

What's Needed

1. Add CSP Headers (profile.route.js)

2. Enhance escapeXml() Function

• Ensure ALL special XML chars are escaped: & < > " '
• Test with attack vectors like: <script>, javascript:, on*=

3. Input Validation

• Validate usernames against strict regex (already done)
• Validate platform handles (LeetCode, Codeforces, CodeChef)
• Reject input with suspicious patterns

4. Security Tests

• Test with XSS payloads: "><script>alert(1)</script>, etc.
• Verify CSP headers are set on all responses
• Check SVG renders safely with malicious input

Files to Modify

• src/routes/profile.route.js (add CSP middleware)
• src/renderers/svg.renderer.js (enhance escapeXml)
• src/services/github.service.js (validate data)

Kindly assign this issue to me under gssoc26!
Thankyou

Acceptance Criteria

✅ CSP headers present on all profile responses
✅ XSS payloads are escaped and render as text, not code
✅ Security audit passes (use OWASP guidelines)
✅ Unit tests verify injection attempts fail safely

[SamXop123]

Hi @vib3withsimran thanks for raising this security hardening issue!

To clarify, the project already has strict SVG/XML escaping and injection prevention implemented via sanitizeSvgValue and sanitizeSvgHref in src/utils/svg-sanitizer.js.

However, adding strict defense-in-depth measures is always a great practice. I'll assign this to you under the following scope:

1. CSP Headers: Implement a strict Content-Security-Policy header on the /api/profile response (e.g. allowing default-src 'none', img-src 'self' data:, style-src 'unsafe-inline').
2. Input Hardening: Enforce strict regex validation for leetcode, codeforces, and codechef query parameters inside profile.route.js (similar to how GitHub username is validated).

Please do not rewrite or modify the existing sanitization logic as it is already fully covered.

I have assigned this to you. You can proceed for the implementation.