I’m building a contact form that will send me an email notification using the SendGrid Email API. The Worker script I’m building validates that inputs are the correct value types, and the submission isn’t stuffing extra values into the POST request. But how do I sanitize the data before adding it to an email template?
I have been working locally with Isomorphic DOMPurify and it was fantastic, until I tried to publish my Worker. I got a “window not defined” error, which in hindsight makes sense – there’s no DOM, so there’s no window object.
I’ve looked at various other options, including:
- Writing an HTML encoder as suggested on the PortSwigger XSS prevention page
- Omitting the HTML sanitization because I’m only using a text email template
- Tightening the allowed characters on form input. This has limited value because I don’t want to make the UX overly difficult.
- Trying another lib like Validator.js or js-xss
The threat of XSS is lower because I control the validation and email destination, but I’d like to include a sanitization routine if possible.