@transcend-io/contact-form-schema - npm Package Compare versions

Comparing version 2.6.0 to 3.0.0

dist/esm/index.d.ts

@@ -13,11 +13,11 @@ import { z } from 'zod';
     /** The submitter's first name */
-    firstName: z.ZodOptional<z.ZodString>;
+    firstName: z.ZodOptional<z.ZodEffects<z.ZodString, string, string>>;
     /** The submitter's last name */
-    lastName: z.ZodOptional<z.ZodString>;
+    lastName: z.ZodOptional<z.ZodEffects<z.ZodString, string, string>>;
     /** The submitter's work email */
     email: z.ZodString;
     /** The submitter's job title */
-    title: z.ZodOptional<z.ZodString>;
+    title: z.ZodOptional<z.ZodEffects<z.ZodString, string, string>>;
     /** The submitter's company name */
-    company: z.ZodOptional<z.ZodString>;
+    company: z.ZodOptional<z.ZodEffects<z.ZodString, string, string>>;
     /** The company's employee count */
@@ -28,7 +28,7 @@ companySize: z.ZodOptional<z.ZodEnum<["Under 200 employees", "200 to 500 employees", "500 to 1000 employees", "1000 to 5000 employees", "Above 5000 employees"]>>;
     /** The submitter's country of residence */
-    country: z.ZodOptional<z.ZodString>;
+    country: z.ZodOptional<z.ZodEffects<z.ZodString, string, string>>;
     /** The submitter's state of residence */
-    state: z.ZodOptional<z.ZodString>;
+    state: z.ZodOptional<z.ZodEffects<z.ZodString, string, string>>;
     /** Any text that the submitter sent with this submission */
-    message: z.ZodOptional<z.ZodString>;
+    message: z.ZodOptional<z.ZodEffects<z.ZodString, string, string>>;
     /** If this is a partner contacting us */
@@ -38,6 +38,6 @@ partnerType: z.ZodOptional<z.ZodEnum<["Technology partner", "Law firm partner", "Consulting partner"]>>;
     referralPartner: z.ZodOptional<z.ZodObject<{
-        partnerFirstName: z.ZodString;
-        partnerLastName: z.ZodString;
+        partnerFirstName: z.ZodEffects<z.ZodString, string, string>;
+        partnerLastName: z.ZodEffects<z.ZodString, string, string>;
         partnerEmail: z.ZodString;
-        partnerCompany: z.ZodString;
+        partnerCompany: z.ZodEffects<z.ZodString, string, string>;
     }, "strip", z.ZodTypeAny, {
@@ -116,17 +116,17 @@ partnerFirstName: string;
     /** Pardot visitor ID */
-    pardotVisitorId: z.ZodOptional<z.ZodString>;
+    pardotVisitorId: z.ZodOptional<z.ZodEffects<z.ZodString, string, string>>;
     /** The user's existing anonymousId from Segment */
-    anonymousId: z.ZodOptional<z.ZodString>;
+    anonymousId: z.ZodOptional<z.ZodEffects<z.ZodString, string, string>>;
     /** Which channel this traffic is coming from. In `main` this'll likely always be "Admin Dashboard" */
-    utm_source: z.ZodOptional<z.ZodString>;
+    utm_source: z.ZodOptional<z.ZodEffects<z.ZodString, string, string>>;
     /** What type of channel this traffic is coming from. */
-    utm_medium: z.ZodOptional<z.ZodString>;
+    utm_medium: z.ZodOptional<z.ZodEffects<z.ZodString, string, string>>;
     /** Which marketing campaign this is coming from. */
-    utm_campaign: z.ZodOptional<z.ZodString>;
+    utm_campaign: z.ZodOptional<z.ZodEffects<z.ZodString, string, string>>;
     /** A unique ID */
-    utm_id: z.ZodOptional<z.ZodString>;
+    utm_id: z.ZodOptional<z.ZodEffects<z.ZodString, string, string>>;
     /** Only relevant for search campaigns (e.g. what google search term they came from) */
-    utm_term: z.ZodOptional<z.ZodString>;
+    utm_term: z.ZodOptional<z.ZodEffects<z.ZodString, string, string>>;
     /** Only relevant for content-based campaigns (e.g. what blog post they were on) */
-    utm_content: z.ZodOptional<z.ZodString>;
+    utm_content: z.ZodOptional<z.ZodEffects<z.ZodString, string, string>>;
 }, "strip", z.ZodTypeAny, {
@@ -165,11 +165,11 @@ pardotCampaignId: string | number;
     /** The submitter's first name */
-    firstName: z.ZodOptional<z.ZodString>;
+    firstName: z.ZodOptional<z.ZodEffects<z.ZodString, string, string>>;
     /** The submitter's last name */
-    lastName: z.ZodOptional<z.ZodString>;
+    lastName: z.ZodOptional<z.ZodEffects<z.ZodString, string, string>>;
     /** The submitter's work email */
     email: z.ZodString;
     /** The submitter's job title */
-    title: z.ZodOptional<z.ZodString>;
+    title: z.ZodOptional<z.ZodEffects<z.ZodString, string, string>>;
     /** The submitter's company name */
-    company: z.ZodOptional<z.ZodString>;
+    company: z.ZodOptional<z.ZodEffects<z.ZodString, string, string>>;
     /** The company's employee count */
@@ -180,7 +180,7 @@ companySize: z.ZodOptional<z.ZodEnum<["Under 200 employees", "200 to 500 employees", "500 to 1000 employees", "1000 to 5000 employees", "Above 5000 employees"]>>;
     /** The submitter's country of residence */
-    country: z.ZodOptional<z.ZodString>;
+    country: z.ZodOptional<z.ZodEffects<z.ZodString, string, string>>;
     /** The submitter's state of residence */
-    state: z.ZodOptional<z.ZodString>;
+    state: z.ZodOptional<z.ZodEffects<z.ZodString, string, string>>;
     /** Any text that the submitter sent with this submission */
-    message: z.ZodOptional<z.ZodString>;
+    message: z.ZodOptional<z.ZodEffects<z.ZodString, string, string>>;
     /** If this is a partner contacting us */
@@ -190,6 +190,6 @@ partnerType: z.ZodOptional<z.ZodEnum<["Technology partner", "Law firm partner", "Consulting partner"]>>;
     referralPartner: z.ZodOptional<z.ZodObject<{
-        partnerFirstName: z.ZodString;
-        partnerLastName: z.ZodString;
+        partnerFirstName: z.ZodEffects<z.ZodString, string, string>;
+        partnerLastName: z.ZodEffects<z.ZodString, string, string>;
         partnerEmail: z.ZodString;
-        partnerCompany: z.ZodString;
+        partnerCompany: z.ZodEffects<z.ZodString, string, string>;
     }, "strip", z.ZodTypeAny, {
@@ -263,17 +263,17 @@ partnerFirstName: string;
     /** Pardot visitor ID */
-    pardotVisitorId: z.ZodOptional<z.ZodString>;
+    pardotVisitorId: z.ZodOptional<z.ZodEffects<z.ZodString, string, string>>;
     /** The user's existing anonymousId from Segment */
-    anonymousId: z.ZodOptional<z.ZodString>;
+    anonymousId: z.ZodOptional<z.ZodEffects<z.ZodString, string, string>>;
     /** Which channel this traffic is coming from. In `main` this'll likely always be "Admin Dashboard" */
-    utm_source: z.ZodOptional<z.ZodString>;
+    utm_source: z.ZodOptional<z.ZodEffects<z.ZodString, string, string>>;
     /** What type of channel this traffic is coming from. */
-    utm_medium: z.ZodOptional<z.ZodString>;
+    utm_medium: z.ZodOptional<z.ZodEffects<z.ZodString, string, string>>;
     /** Which marketing campaign this is coming from. */
-    utm_campaign: z.ZodOptional<z.ZodString>;
+    utm_campaign: z.ZodOptional<z.ZodEffects<z.ZodString, string, string>>;
     /** A unique ID */
-    utm_id: z.ZodOptional<z.ZodString>;
+    utm_id: z.ZodOptional<z.ZodEffects<z.ZodString, string, string>>;
     /** Only relevant for search campaigns (e.g. what google search term they came from) */
-    utm_term: z.ZodOptional<z.ZodString>;
+    utm_term: z.ZodOptional<z.ZodEffects<z.ZodString, string, string>>;
     /** Only relevant for content-based campaigns (e.g. what blog post they were on) */
-    utm_content: z.ZodOptional<z.ZodString>;
+    utm_content: z.ZodOptional<z.ZodEffects<z.ZodString, string, string>>;
 }, "strip", z.ZodTypeAny, {
@@ -280,0 +280,0 @@ pardotCampaignId: string | number;

dist/esm/index.js

@@ -0,1 +1,2 @@
+import DOMPurify from 'isomorphic-dompurify';
 import { phone } from 'phone';
@@ -8,4 +9,11 @@ import { z } from 'zod';
  */
-const CONTACT_FORM_VERSION = '2.6.0';
+const CONTACT_FORM_VERSION = '3.0.0';
 /**
+ * Sanitize inputs to prevent XSS
+ * @see https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
+ */
+const SanitizedString = z.string().transform((value) => {
+    return DOMPurify.sanitize(value);
+});
+/**
  * The fields that are part of the contact form itself.
@@ -16,11 +24,11 @@ * This can be used to validate ALL contact forms, even if they omit some of the optional fields.
     /** The submitter's first name */
-    firstName: z.string().optional(),
+    firstName: SanitizedString.optional(),
     /** The submitter's last name */
-    lastName: z.string().optional(),
+    lastName: SanitizedString.optional(),
     /** The submitter's work email */
     email: z.string().email(),
     /** The submitter's job title */
-    title: z.string().optional(),
+    title: SanitizedString.optional(),
     /** The submitter's company name */
-    company: z.string().optional(),
+    company: SanitizedString.optional(),
     /** The company's employee count */
@@ -44,7 +52,7 @@ companySize: z
     /** The submitter's country of residence */
-    country: z.string().optional(),
+    country: SanitizedString.optional(),
     /** The submitter's state of residence */
-    state: z.string().optional(),
+    state: SanitizedString.optional(),
     /** Any text that the submitter sent with this submission */
-    message: z.string().optional(),
+    message: SanitizedString.optional(),
     /** If this is a partner contacting us */
@@ -57,6 +65,6 @@ partnerType: z
         .object({
-        partnerFirstName: z.string(),
-        partnerLastName: z.string(),
+        partnerFirstName: SanitizedString,
+        partnerLastName: SanitizedString,
         partnerEmail: z.string().email(),
-        partnerCompany: z.string(),
+        partnerCompany: SanitizedString,
     })
@@ -81,3 +89,8 @@ .optional(),
     /** The reCAPTCHA token (only for use on our marketing website) */
-    recaptchaToken: z.string().min(50).optional(),
+    recaptchaToken: z
+        .string()
+        .min(50)
+        // alphanumeric or underscore or hyphen
+        .regex(/^(\w|-)+$/)
+        .optional(),
     /** This is set up by the marketing team in Salesforce Pardot to label which contact form is being used */
@@ -91,17 +104,17 @@ pardotCampaignId: z.union([z.number(), z.string().regex(/^\d+$/)]),
     /** Pardot visitor ID */
-    pardotVisitorId: z.string().optional(),
+    pardotVisitorId: SanitizedString.optional(),
     /** The user's existing anonymousId from Segment */
-    anonymousId: z.string().optional(),
+    anonymousId: SanitizedString.optional(),
     /** Which channel this traffic is coming from. In `main` this'll likely always be "Admin Dashboard" */
-    utm_source: z.string().optional(),
+    utm_source: SanitizedString.optional(),
     /** What type of channel this traffic is coming from. */
-    utm_medium: z.string().optional(),
+    utm_medium: SanitizedString.optional(),
     /** Which marketing campaign this is coming from. */
-    utm_campaign: z.string().optional(),
+    utm_campaign: SanitizedString.optional(),
     /** A unique ID */
-    utm_id: z.string().optional(),
+    utm_id: SanitizedString.optional(),
     /** Only relevant for search campaigns (e.g. what google search term they came from) */
-    utm_term: z.string().optional(),
+    utm_term: SanitizedString.optional(),
     /** Only relevant for content-based campaigns (e.g. what blog post they were on) */
-    utm_content: z.string().optional(),
+    utm_content: SanitizedString.optional(),
 });
@@ -108,0 +121,0 @@ /**

package.json

 {
   "name": "@transcend-io/contact-form-schema",
   "type": "module",
-  "version": "2.6.0",
+  "version": "3.0.0",
   "description": "Schema for the marketing contact form.",
@@ -54,2 +54,3 @@ "license": "UNLICENSED",
   "dependencies": {
+    "isomorphic-dompurify": "^2.12.0",
     "phone": "^3.1.41",
@@ -56,0 +57,0 @@ "zod": "^3.22.4"

src/index.ts

@@ -0,1 +1,2 @@
+import DOMPurify from 'isomorphic-dompurify';
 import { phone } from 'phone';
@@ -8,5 +9,13 @@ import { z } from 'zod';
  */
-export const CONTACT_FORM_VERSION: string = '2.6.0';
+export const CONTACT_FORM_VERSION: string = '3.0.0';
 
 /**
+ * Sanitize inputs to prevent XSS
+ * @see https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
+ */
+const SanitizedString = z.string().transform((value) => {
+  return DOMPurify.sanitize(value);
+});
+
+/**
  * The fields that are part of the contact form itself.
@@ -17,6 +26,6 @@ * This can be used to validate ALL contact forms, even if they omit some of the optional fields.
   /** The submitter's first name */
-  firstName: z.string().optional(),
+  firstName: SanitizedString.optional(),
 
   /** The submitter's last name */
-  lastName: z.string().optional(),
+  lastName: SanitizedString.optional(),
 
@@ -27,6 +36,6 @@ /** The submitter's work email */
   /** The submitter's job title */
-  title: z.string().optional(),
+  title: SanitizedString.optional(),
 
   /** The submitter's company name */
-  company: z.string().optional(),
+  company: SanitizedString.optional(),
 
@@ -53,9 +62,9 @@ /** The company's employee count */
   /** The submitter's country of residence */
-  country: z.string().optional(),
+  country: SanitizedString.optional(),
 
   /** The submitter's state of residence */
-  state: z.string().optional(),
+  state: SanitizedString.optional(),
 
   /** Any text that the submitter sent with this submission */
-  message: z.string().optional(),
+  message: SanitizedString.optional(),
 
@@ -70,6 +79,6 @@ /** If this is a partner contacting us */
     .object({
-      partnerFirstName: z.string(),
-      partnerLastName: z.string(),
+      partnerFirstName: SanitizedString,
+      partnerLastName: SanitizedString,
       partnerEmail: z.string().email(),
-      partnerCompany: z.string(),
+      partnerCompany: SanitizedString,
     })
@@ -98,3 +107,8 @@ .optional(),
   /** The reCAPTCHA token (only for use on our marketing website) */
-  recaptchaToken: z.string().min(50).optional(),
+  recaptchaToken: z
+    .string()
+    .min(50)
+    // alphanumeric or underscore or hyphen
+    .regex(/^(\w|-)+$/)
+    .optional(),
 
@@ -111,24 +125,24 @@ /** This is set up by the marketing team in Salesforce Pardot to label which contact form is being used */
   /** Pardot visitor ID */
-  pardotVisitorId: z.string().optional(),
+  pardotVisitorId: SanitizedString.optional(),
 
   /** The user's existing anonymousId from Segment */
-  anonymousId: z.string().optional(),
+  anonymousId: SanitizedString.optional(),
 
   /** Which channel this traffic is coming from. In `main` this'll likely always be "Admin Dashboard" */
-  utm_source: z.string().optional(),
+  utm_source: SanitizedString.optional(),
 
   /** What type of channel this traffic is coming from. */
-  utm_medium: z.string().optional(),
+  utm_medium: SanitizedString.optional(),
 
   /** Which marketing campaign this is coming from. */
-  utm_campaign: z.string().optional(),
+  utm_campaign: SanitizedString.optional(),
 
   /** A unique ID */
-  utm_id: z.string().optional(),
+  utm_id: SanitizedString.optional(),
 
   /** Only relevant for search campaigns (e.g. what google search term they came from) */
-  utm_term: z.string().optional(),
+  utm_term: SanitizedString.optional(),
 
   /** Only relevant for content-based campaigns (e.g. what blog post they were on) */
-  utm_content: z.string().optional(),
+  utm_content: SanitizedString.optional(),
 });
@@ -135,0 +149,0 @@ export type ContactFormMetadata = z.infer<typeof ContactFormMetadata>;

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

64243

increased by7.26%

Lines of code

664

increased by6.24%

Worsened metrics

Dependency count

3

increased by50%

Dependency changes

• + Addedisomorphic-dompurify@^2.12.0

• + Added@types/trusted-types@2.0.7(transitive)

• + Addedagent-base@7.1.3(transitive)

• + Addedasynckit@0.4.0(transitive)

• + Addedcombined-stream@1.0.8(transitive)

• + Addedcssstyle@4.1.0(transitive)

• + Addeddata-urls@5.0.0(transitive)

• + Addeddebug@4.4.0(transitive)

• + Addeddecimal.js@10.4.3(transitive)

• + Addeddelayed-stream@1.0.0(transitive)

• + Addeddompurify@3.2.3(transitive)

• + Addedentities@4.5.0(transitive)

• + Addedform-data@4.0.1(transitive)

• + Addedhtml-encoding-sniffer@4.0.0(transitive)

• + Addedhttp-proxy-agent@7.0.2(transitive)

• + Addedhttps-proxy-agent@7.0.6(transitive)

• + Addediconv-lite@0.6.3(transitive)

• + Addedis-potential-custom-element-name@1.0.1(transitive)

• + Addedisomorphic-dompurify@2.19.0(transitive)

• + Addedjsdom@25.0.1(transitive)

• + Addedmime-db@1.52.0(transitive)

• + Addedmime-types@2.1.35(transitive)

• + Addedms@2.1.3(transitive)

• + Addednwsapi@2.2.16(transitive)

• + Addedparse5@7.2.1(transitive)

• + Addedpunycode@2.3.1(transitive)

• + Addedrrweb-cssom@0.7.1(transitive)

• + Addedsafer-buffer@2.1.2(transitive)

• + Addedsaxes@6.0.0(transitive)

• + Addedsymbol-tree@3.2.4(transitive)

• + Addedtldts@6.1.67(transitive)

• + Addedtldts-core@6.1.67(transitive)

• + Addedtough-cookie@5.0.0(transitive)

• + Addedtr46@5.0.0(transitive)

• + Addedw3c-xmlserializer@5.0.0(transitive)

• + Addedwebidl-conversions@7.0.0(transitive)

• + Addedwhatwg-encoding@3.1.1(transitive)

• + Addedwhatwg-mimetype@4.0.0(transitive)

• + Addedwhatwg-url@14.1.0(transitive)

• + Addedws@8.18.0(transitive)

• + Addedxml-name-validator@5.0.0(transitive)

• + Addedxmlchars@2.2.0(transitive)