Enhance FormData with XSS validation feature.

[Ray0907]

Types of changes

• [ ] Bug fix (a non-breaking change which fixes an issue)
• [x ] New feature (a non-breaking change which adds functionality)
• [ ] Breaking change (fix or feature that would cause existing functionality to change)

Description

The original version doesn't support FormData, resulting in blocking all FormData requests. This pull request adds a feature to enhance FormData support. Fix #400

Checklist:

• [ ] My change requires a change to the documentation.
• [ ] I have updated the documentation accordingly.
• [ ] I have added tests to cover my changes (if not applicable, please state why)

[vercel[bot]]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
nuxt-security	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Mar 12, 2024 2:53pm

[Baroshem]

Hey @Ray0907

Thanks for this PR! I will review it in the upcoming days (quite budy days recently)

[Ray0907]

@Baroshem I'm considering an alternative approach. If I use h3 readMultipartFormData and parse the FormData similar to reading the response body, and only check if the FormData is valid, would that be effective? Because as far as I understand, the XSS validator only checks text. Am I correct? If this approach works, perhaps I'll rewrite the feature

[Baroshem]

Hey @Ray0907

That sounds like an interesting idea. Have you tried how it behaves if a user passes a malicious code in the params?

Like

http/localhost:3000?user=<script>

If it does not break or handles this case properly (it should be validated by XSS as issue and return 400 error) I think we could try this approach :)