Fix/security input validation

[shayla-develops-webs]

Web Dev Path
250

Have you updated the CHANGELOG.md file? If not, please do it.

Yes

What is this change?

Fixed security vulnerabilities related to user input handling across three files:

• Replaced dangerouslySetInnerHTML with plain text rendering in NewsletterForm to fix an XSS vulnerability
• Added client-side email format validation to NewsletterForm
• Escaped all user inputs in sendEmail.js using encode() from html-entities to prevent HTML injection
• Added server-side email format, name length, and message length validation in validateReCaptcha.js

Were there any complications while making this change?

During local setup, the dev server would not start due to a TypeError: withPWA is not a function error in next.config.js. This was caused by a breaking change in the next-pwa package API. I fixed the import syntax to match the installed version before proceeding with the changes. No new dependencies were required for the actual security fixes.

How to replicate the issue?

On the current live site, go to the newsletter form and submit <script>alert('xss')</script> in the email field. It will pass through without any format validation
On the contact form, submit "><img src=x onerror=alert(1)> in the name or message field. The input gets inserted directly into the outgoing email HTML template with no escaping, allowing injected HTML to render in the email client.

If necessary, please describe how to test the new feature or fix.

On the newsletter form, submit <script>alert('xss')</script> in the email field. It should be rejected with an invalid email format error.
On the newsletter form, submit an empty field, notanemail, and a@b and all should be rejected with validation errors.
On the contact form, submit <script>alert('xss')</script> in the name or message field. No alert dialog should fire.
On the contact form, submit "><img src=x onerror=alert(1)> in the name or message field. No HTML should render or execute.
Submit valid inputs on both forms and they should pass validation and reach the API successfully.

When should this be merged?

after 3 approvals

[netlify]

✅ Deploy Preview for webdevpathstage ready!

Name	Link
🔨 Latest commit	4186251
🔍 Latest deploy log	https://app.netlify.com/projects/webdevpathstage/deploys/69d83f0877083600089d7224
😎 Deploy Preview	https://deploy-preview-303--webdevpathstage.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[shayla-develops-webs]

@Satoshi-Sh Good call out. I went ahead and updated.

[mtkksk1780]

@shayla-develops-webs
Thanks for the thorough investigation and improvements! It must have taken quite a bit of time.
I have left one small suggestion, which I hope will be helpful for further updates.

[netlify]

✅ Deploy Preview for webdevpathstage ready!

Name	Link
🔨 Latest commit	6205123
🔍 Latest deploy log	https://app.netlify.com/projects/webdevpathstage/deploys/69f3f7e28390ab0008975bd9
😎 Deploy Preview	https://deploy-preview-303--webdevpathstage.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[shayla-develops-webs]

Ok so currently, the newsletter form validates manually with Zod, while the contact form uses react-hook-form's built-in Zod resolver. The form only has 2 fields so the manual approach works fine but should we refactor the newsletter form to to a react-hook-form for consistency across all forms, or is the split acceptable?