Merge pull request #144 from mcode/xss-middleware

smalho01 · web-flow · commit 3ca9aec597a6 · 2025-12-15T11:33:36.000-05:00
impliment middleware to prevent xss attacks
diff --git a/frontend/index.html b/frontend/index.html
@@ -4,7 +4,7 @@
     <meta charset="UTF-8" />
     <link rel="icon" type="image/png" href="/intermediary.png" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <title>Rems Intermediary UI</title>
+    <title>PIMS Pharmacy</title>
   </head>
   <body>
     <div id="root"></div>
diff --git a/frontend/vite-xss-middleware.ts b/frontend/vite-xss-middleware.ts
@@ -0,0 +1,40 @@
+// vite-xss-fix.ts
+import { Plugin } from 'vite';
+
+export function viteXssMiddleware(): Plugin {
+  const middleware = (req: any, res: any, next: any) => {
+    const originalEnd = res.end;
+    const chunks: any[] = [];
+
+    res.end = function (chunk?: any) {
+      if (chunk) chunks.push(Buffer.from(chunk));
+
+      const body = Buffer.concat(chunks).toString();
+
+      // If Vite's error message is reflecting user input, replace it
+      if (body.includes('did you mean to visit') && body.includes('<a href=')) {
+        const safe = `<!DOCTYPE html>
+            <html>
+            <head><title>404 Not Found</title></head>
+            <body><h1>404 - Page Not Found</h1></body>
+            </html>`;
+        res.setHeader('Content-Type', 'text/html');
+        return originalEnd.call(res, safe);
+      }
+
+      return originalEnd.call(res, Buffer.concat(chunks));
+    };
+
+    next();
+  };
+
+  return {
+    name: 'vite-xss-fix',
+    configureServer(server) {
+      server.middlewares.use(middleware);
+    },
+    configurePreviewServer(server) {
+      server.middlewares.use(middleware);
+    }
+  };
+}
diff --git a/frontend/vite.config.ts b/frontend/vite.config.ts
@@ -1,13 +1,12 @@
 import { defineConfig } from 'vite';
 import react from '@vitejs/plugin-react';
-
+import { viteXssMiddleware } from './vite-xss-middleware';
 import dotenv from 'dotenv';
 
 dotenv.config({ path: '.env' }); // load env vars from .env
 export default defineConfig({
-  // depending on your application, base can also be "/"
   base: process.env.REACT_APP_VITE_BASE || '',
-  plugins: [react()],
+  plugins: [react(), viteXssMiddleware()],
   preview: {
     allowedHosts: ['.mitre.org', '.elb.us-east-1.amazonaws.com'],
     port: parseInt(process.env.PORT!),
