OWASP · Suresh-Krishna-P · Mar 21, 2026 · Mar 21, 2026 · Mar 21, 2026 · Mar 21, 2026
@@ -1,4 +1,4 @@
-defmodule Copi.Cornucopia.Game do
+ defmodule Copi.Cornucopia.Game do
   use Ecto.Schema
   import Ecto.Changeset
 
@@ -32,6 +32,8 @@ defmodule Copi.Cornucopia.Game do
     game
     |> cast(attrs, [:name, :created_at, :edition, :started_at, :finished_at, :rounds_played, :suits, :round_open])
     |> validate_required([:name], message: "No really, give your game session a name")
+    |> validate_length(:name, min: 1, max: 100)
+    |> validate_name(:name)
   end
 
   def continue_vote_count(game) do
@@ -62,4 +64,70 @@ defmodule Copi.Cornucopia.Game do
 
     Enum.count(players_still_to_play) > 0
   end
+
+  # Input validation and sanitization to prevent XSS
+  defp validate_name(changeset, field) do
+    case Ecto.Changeset.get_field(changeset, field) do
+      nil -> changeset
+      name when is_binary(name) ->
+        if valid_name?(name) do
+          changeset
+        else
+          Ecto.Changeset.add_error(
+            changeset, 
+            field, 
+            "contains unsafe content. Please use only letters, numbers, spaces, and basic punctuation."
+          )
+        end
+      _ ->
+        changeset
+    end
+  end
+
+  defp valid_name?(name) when is_binary(name) and name != "" do
+    String.match?(name, ~r/^[\u0600-\u06FF\u0600-\u06FF\u0750-\u077F\u08A0-\u08FF\uFB50-\uFDFF\uFE70-\uFEFF\uFDF2\uFDF3\uFDF4\uFDFD\u3040-\u309F\u30A0-\u30FF\u4E00-\u9FFF\uFF66-\uFF9Fー々〆〤\u3400-\u4DBF\uF900-\uFAFF\u0900-\u097F\u0621-\u064A\u0660-\u0669\u4E00-\u9FFF\u0E00-\u0E7F«»฿ฯ๏๚๛\u0400-\u04FF\u0500-\u052F\u2DE0-\u2DFF\uA640-\uA69FЮ́ю́Я́я́\u0370-\u03FF\u1F00-\u1FFFA-Za-zÀ-ÖØ-öø-ÿĀ-ž0-9._\--ءآأؤإئابةتثجحخدذرزسشصضطظعغفقكلمنهوي ًٌٍَُِّْٰﷲﷴﷺﷻ ٠١٢٣٤٥٦٧٨٩ \s]+$/u)
+  end
+
+  defp valid_name?(_), do: false
+
+  defp sanitize_name(name) when is_binary(name) do
+    name
+    |> strip_html_tags()
+    |> strip_javascript()
+    |> strip_data_attributes()
+    |> escape_html_entities()
+    |> String.trim()
+    |> String.replace(~r/\s+/, " ") # Normalize multiple spaces
+  end
+
+  defp sanitize_name(_), do: ""
+
+  defp strip_html_tags(text) do
+    # Remove HTML tags using regex
+    String.replace(text, ~r/<[^>]*>/, "")
+  end
+
+  defp strip_javascript(text) do
+    # Remove JavaScript patterns
+    text
+    |> String.replace(~r/javascript:/i, "")
+    |> String.replace(~r/on\w+\s*=/i, "")
+    |> String.replace(~r/eval\s*\(/i, "")
+    |> String.replace(~r/Function\s*\(/i, "")
+  end
+
+  defp strip_data_attributes(text) do
+    # Remove data-* attributes that could be used for XSS
+    String.replace(text, ~r/data-\w+/, "")
+  end
+
+  defp escape_html_entities(text) do
+    # Escape HTML entities that could be dangerous
+    text
+    |> String.replace("&", "&")
+    |> String.replace("<", "<")
+    |> String.replace(">", ">")
+    |> String.replace("\"", "&quot;")
+    |> String.replace("'", "&#39;")
+  end
 end
@@ -27,5 +27,72 @@ defmodule Copi.Cornucopia.Player do
     |> cast(attrs, [:name, :game_id])
     |> validate_required([:name])
     |> validate_length(:name, min: 1, max: 50)
+    |> validate_name(:name)
+  end
+
+  # Input validation and sanitization to prevent XSS
+  defp validate_name(changeset, field) do
+    case Ecto.Changeset.get_field(changeset, field) do
+      nil -> changeset
+      name when is_binary(name) ->
+        if valid_name?(name) do
+          changeset
+        else
+          Ecto.Changeset.add_error(
+            changeset, 
+            field, 
+            "contains unsafe content. Please use only letters, numbers, spaces, and basic punctuation."
+          )
+        end
+      _ ->
+        changeset
+    end
+  end
+
+  defp valid_name?(name) when is_binary(name) and name != "" do
+    String.match?(name, ~r/^[\u0600-\u06FF\u0600-\u06FF\u0750-\u077F\u08A0-\u08FF\uFB50-\uFDFF\uFE70-\uFEFF\uFDF2\uFDF3\uFDF4\uFDFD\u3040-\u309F\u30A0-\u30FF\u4E00-\u9FFF\uFF66-\uFF9Fー々〆〤\u3400-\u4DBF\uF900-\uFAFF\u0900-\u097F\u0621-\u064A\u0660-\u0669\u4E00-\u9FFF\u0E00-\u0E7F«»฿ฯ๏๚๛\u0400-\u04FF\u0500-\u052F\u2DE0-\u2DFF\uA640-\uA69FЮ́ю́Я́я́\u0370-\u03FF\u1F00-\u1FFFA-Za-zÀ-ÖØ-öø-ÿĀ-ž0-9._\--ءآأؤإئابةتثجحخدذرزسشصضطظعغفقكلمنهوي ًٌٍَُِّْٰﷲﷴﷺﷻ ٠١٢٣٤٥٦٧٨٩ \s]+$/u)
+  end
+
+  defp valid_name?(_), do: false
+
+  defp sanitize_name(name) when is_binary(name) do
+    name
+    |> strip_html_tags()
+    |> strip_javascript()
+    |> strip_data_attributes()
+    |> escape_html_entities()
+    |> String.trim()
+    |> String.replace(~r/\s+/, " ") # Normalize multiple spaces
+  end
+
+  defp sanitize_name(_), do: ""
+
+  defp strip_html_tags(text) do
+    # Remove HTML tags using regex
+    String.replace(text, ~r/<[^>]*>/, "")
+  end
+
+  defp strip_javascript(text) do
+    # Remove JavaScript patterns
+    text
+    |> String.replace(~r/javascript:/i, "")
+    |> String.replace(~r/on\w+\s*=/i, "")
+    |> String.replace(~r/eval\s*\(/i, "")
+    |> String.replace(~r/Function\s*\(/i, "")
+  end
+
+  defp strip_data_attributes(text) do
+    # Remove data-* attributes that could be used for XSS
+    String.replace(text, ~r/data-\w+/, "")
+  end
+
+  defp escape_html_entities(text) do
+    # Escape HTML entities that could be dangerous
+    text
+    |> String.replace("&", "&")
+    |> String.replace("<", "<")
+    |> String.replace(">", ">")
+    |> String.replace("\"", "&quot;")
+    |> String.replace("'", "&#39;")
   end
 end
@@ -41,6 +41,44 @@ defmodule Copi.CornucopiaTest do
       assert {:error, %Ecto.Changeset{}} = Cornucopia.create_game(@invalid_attrs)
     end
 
+    test "create_game/1 rejects XSS payloads in name" do
+      # Test various XSS payloads
+      xss_payloads = [
+        "<script>alert('xss')</script>",
+        "javascript:alert('xss')",
+        "<img src=x onerror=alert('xss')>",
+        "onload=alert('xss')",
+        "<iframe src='javascript:alert(1)'></iframe>",
+        "data:text/html,<script>alert('xss')</script>"
+      ]
+
+      for payload <- xss_payloads do
+        attrs = %{name: payload, edition: "webapp"}
+        assert {:error, %Ecto.Changeset{}} = Cornucopia.create_game(attrs)
+      end
+    end
+
+    test "create_game/1 accepts safe names" do
+      safe_names = [
+        "My Game Session",
+        "Security Review 2024",
+        "Test Game-123",
+        "O'Connor's Security Game",
+        "Game \"Secure\" Session",
+        "لعبة الأمن",
+        "安全游戏",
+        "Игра Безопасности",
+        "Juego de Seguridad",
+        "Sécurité de Jeu",
+        "セキュリティゲーム"
+      ]
+
+      for name <- safe_names do
+        attrs = %{name: name, edition: "webapp"}
+        assert {:ok, %Game{name: ^name}} = Cornucopia.create_game(attrs)
+      end
+    end
+
     test "update_game/2 with valid data updates the game" do
       game = game_fixture()
       assert {:ok, %Game{} = game} = Cornucopia.update_game(game, @update_attrs)
@@ -144,6 +182,46 @@ defmodule Copi.CornucopiaTest do
       assert {:error, %Ecto.Changeset{}} = Cornucopia.create_player(@invalid_attrs)
     end
 
+    test "create_player/1 rejects XSS payloads in name" do
+      # Test various XSS payloads
+      xss_payloads = [
+        "<script>alert('xss')</script>",
+        "javascript:alert('xss')",
+        "<img src=x onerror=alert('xss')>",
+        "onload=alert('xss')",
+        "<iframe src='javascript:alert(1)'></iframe>",
+        "data:text/html,<script>alert('xss')</script>"
+      ]
+
+      for payload <- xss_payloads do
+        attrs = %{name: payload, game_id: "00000000000000000000000001"}
+        assert {:error, %Ecto.Changeset{}} = Cornucopia.create_player(attrs)
+      end
+    end
+
+    test "create_player/1 accepts safe names" do
+      safe_names = [
+        "John Doe",
+        "O'Connor",
+        "Jane Smith-Anderson",
+        "Player 123",
+        "Test.User@domain.com",
+        "العربية",
+        "中文",
+        "Русский",
+        "Español",
+        "Français",
+        "日本語",
+        "العربية-English",
+        "测试游戏"
+      ]
+
+      for name <- safe_names do
+        attrs = %{name: name, game_id: "00000000000000000000000001"}
+        assert {:ok, %Player{name: ^name}} = Cornucopia.create_player(attrs)
+      end
+    end
+
     test "update_player/2 with valid data updates the player" do
       player = player_fixture()
       assert {:ok, %Player{} = player} = Cornucopia.update_player(player, @update_attrs)