Add JSON error handling

Author: jimmitchell

.gitignore

@@ -12,3 +12,4 @@ logs/
 data/cache/
 .php-cs-fixer.cache
 .phpstan/
+var/htmlpurifier/

ENV_CONFIGURATION.md

@@ -78,6 +78,13 @@ RATE_LIMIT_API_WINDOW=60                 # Seconds (1 minute)
 CACHE_ENABLED=1                           # 0 = disabled, 1 = enabled
 CACHE_DRIVER=file                         # file or redis
 CACHE_TTL=300                             # Seconds (5 minutes)
+```
+
+## HTML Sanitization
+
+```bash
+SANITIZATION_ENABLED=1                    # 0 = disabled, 1 = enabled (default: enabled)
+```
 CACHE_PATH=data/cache                     # File cache only
 ```
 

HTML_SANITIZATION.md

@@ -0,0 +1,181 @@
+# HTML Sanitization
+
+VibeReader implements comprehensive HTML sanitization to prevent XSS (Cross-Site Scripting) attacks from malicious feed content.
+
+## Overview
+
+Feed content from RSS/Atom/JSON feeds can contain HTML, which could potentially include malicious scripts. This implementation sanitizes all feed content at multiple layers:
+
+1. **Server-side sanitization** - HTMLPurifier sanitizes content before storing in database
+2. **Client-side sanitization** - DOMPurify provides defense-in-depth when rendering content
+
+## Server-Side Sanitization (HTMLPurifier)
+
+### Implementation
+
+- **Library**: `ezyang/htmlpurifier` (v4.16+)
+- **Location**: `src/Utils/HtmlSanitizer.php`
+- **Integration**: Automatically applied in `FeedParser` when parsing feeds
+
+### What Gets Sanitized
+
+- **Feed titles** - Plain text (HTML entities escaped)
+- **Feed descriptions** - HTML sanitized
+- **Item titles** - Plain text (HTML entities escaped)
+- **Item content** - HTML sanitized (preserves formatting)
+- **Item summaries** - HTML sanitized
+- **Item authors** - Plain text (HTML entities escaped)
+
+### Allowed HTML Tags
+
+The sanitizer allows common formatting tags used in feed content:
+- Text formatting: `p`, `br`, `strong`, `b`, `em`, `i`, `u`
+- Links: `a[href|title|target]`
+- Lists: `ul`, `ol`, `li`
+- Code: `pre`, `code`
+- Images: `img[src|alt|width|height]`
+- Headings: `h1`, `h2`, `h3`, `h4`, `h5`, `h6`
+- Structure: `div`, `span[style]`, `blockquote`
+- Tables: `table`, `thead`, `tbody`, `tr`, `td`, `th`
+
+### Allowed Attributes
+
+- Links: `href`, `title`, `target`, `rel`
+- Images: `src`, `alt`, `width`, `height`
+- Styling: `style` (limited CSS properties)
+- Allowed CSS properties: `color`, `background-color`, `font-size`, `font-weight`, `font-style`, `text-align`, `text-decoration`, `margin`, `padding`, `border`
+
+### Configuration
+
+Sanitization can be disabled via environment variable:
+
+```bash
+SANITIZATION_ENABLED=0  # Disable sanitization (not recommended)
+```
+
+**Default**: Enabled (`SANITIZATION_ENABLED=1`)
+
+### Cache
+
+HTMLPurifier uses a cache directory at `var/htmlpurifier/` to improve performance. This directory is automatically created and is excluded from Git.
+
+## Client-Side Sanitization (DOMPurify)
+
+### Implementation
+
+- **Library**: DOMPurify v3.3.1 (via CDN)
+- **Location**: Loaded in `views/dashboard.php`
+- **Integration**: Applied in `assets/js/modules/items.js` when rendering item content
+
+### Defense in Depth
+
+Even though content is sanitized server-side, DOMPurify provides an additional layer of protection:
+- Protects against any content that might bypass server-side sanitization
+- Handles edge cases in browser rendering
+- Provides real-time sanitization when content is displayed
+
+### Configuration
+
+DOMPurify uses the same allowed tags and attributes as the server-side sanitizer for consistency.
+
+## Usage
+
+### Server-Side
+
+```php
+use PhpRss\Utils\HtmlSanitizer;
+
+// Sanitize HTML content (preserves formatting)
+$cleanHtml = HtmlSanitizer::sanitize($feedContent);
+
+// Sanitize plain text (escapes HTML entities)
+$cleanText = HtmlSanitizer::sanitizeText($feedTitle);
+```
+
+### Client-Side
+
+```javascript
+// Sanitize HTML before setting innerHTML
+const sanitized = DOMPurify.sanitize(content, {
+    ALLOWED_TAGS: ['p', 'br', 'strong', 'b', 'em', 'i', 'u', 'a', 'ul', 'ol', 'li', 'blockquote', 'pre', 'code', 'img', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'div', 'span', 'table', 'thead', 'tbody', 'tr', 'td', 'th'],
+    ALLOWED_ATTR: ['href', 'title', 'target', 'src', 'alt', 'width', 'height', 'style', 'rel'],
+    ALLOW_DATA_ATTR: false
+});
+
+element.innerHTML = sanitized;
+```
+
+## Security Benefits
+
+1. **Prevents Stored XSS** - Malicious scripts in feed content are removed before storage
+2. **Prevents Reflected XSS** - Content is sanitized before being sent to the browser
+3. **Defense in Depth** - Multiple layers of sanitization (server + client)
+4. **Preserves Formatting** - Legitimate HTML formatting is maintained
+5. **Configurable** - Can be disabled if needed (though not recommended)
+
+## Performance
+
+- **HTMLPurifier**: Uses caching to improve performance on repeated sanitization
+- **DOMPurify**: Lightweight client-side library with minimal performance impact
+- **Caching**: HTMLPurifier cache stored in `var/htmlpurifier/` (excluded from Git)
+
+## Troubleshooting
+
+### Content Appears Stripped
+
+If legitimate content is being removed:
+1. Check HTMLPurifier logs for warnings
+2. Verify the content uses allowed tags/attributes
+3. Review `src/Utils/HtmlSanitizer.php` configuration
+
+### Sanitization Not Working
+
+1. Verify `SANITIZATION_ENABLED=1` in environment
+2. Check that HTMLPurifier is installed: `composer show ezyang/htmlpurifier`
+3. Verify DOMPurify is loaded (check browser console)
+4. Check that `var/htmlpurifier/` directory is writable
+
+### Disabling Sanitization
+
+**Not Recommended** - Only disable for debugging:
+
+```bash
+SANITIZATION_ENABLED=0
+```
+
+This will bypass server-side sanitization. Client-side DOMPurify will still sanitize content.
+
+## Files Modified
+
+- `src/Utils/HtmlSanitizer.php` (new) - HTML sanitization utility
+- `src/FeedParser.php` - Integrated sanitization into all parsing methods
+- `src/Config.php` - Added sanitization configuration
+- `assets/js/modules/items.js` - Added DOMPurify client-side sanitization
+- `views/dashboard.php` - Added DOMPurify CDN script
+- `composer.json` - Added HTMLPurifier dependency
+- `ENV_CONFIGURATION.md` - Added sanitization configuration documentation
+- `.gitignore` - Added HTMLPurifier cache directory
+
+## Testing
+
+To test sanitization:
+
+1. **Test with malicious content**:
+   ```php
+   $malicious = '<script>alert("XSS")</script><p>Safe content</p>';
+   $sanitized = HtmlSanitizer::sanitize($malicious);
+   // Result: '<p>Safe content</p>' (script removed)
+   ```
+
+2. **Test with legitimate HTML**:
+   ```php
+   $legitimate = '<p>This is <strong>bold</strong> text with a <a href="https://example.com">link</a>.</p>';
+   $sanitized = HtmlSanitizer::sanitize($legitimate);
+   // Result: Same content (preserved)
+   ```
+
+## References
+
+- [HTMLPurifier Documentation](https://htmlpurifier.org/)
+- [DOMPurify Documentation](https://github.com/cure53/DOMPurify)
+- [OWASP XSS Prevention](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)

README.md

@@ -229,6 +229,36 @@ The project uses static analysis and code style tools:
 
 See [CODE_QUALITY.md](CODE_QUALITY.md) for usage instructions.
 
+## Security
+
+VibeReader implements comprehensive security measures:
+
+- **HTML Sanitization** - All feed content is sanitized to prevent XSS attacks
+  - Server-side: HTMLPurifier sanitizes content before storage
+  - Client-side: DOMPurify provides defense-in-depth when rendering
+  - See [HTML_SANITIZATION.md](HTML_SANITIZATION.md) for details
+- **CSRF Protection** - All state-changing operations require CSRF tokens
+- **SSRF Protection** - Feed URLs are validated to prevent internal network access
+- **Rate Limiting** - Login and API endpoints are rate-limited
+- **Secure Sessions** - HttpOnly, Secure, SameSite cookies
+- **Input Validation** - Comprehensive server-side validation
+- **SQL Injection Prevention** - All queries use prepared statements
+
+See [SECURITY_AUDIT.md](SECURITY_AUDIT.md) for complete security details.
+
+## Security
+
+VibeReader implements comprehensive security measures:
+
+- **HTML Sanitization** - Server-side (HTMLPurifier) and client-side (DOMPurify) sanitization to prevent XSS attacks
+- **CSRF Protection** - All state-changing operations protected
+- **SSRF Protection** - Feed URL validation prevents access to internal IPs
+- **Rate Limiting** - Prevents brute force attacks
+- **Secure Sessions** - HttpOnly, Secure, SameSite cookies
+- **Input Validation** - Comprehensive validation on all inputs
+
+See [SECURITY_AUDIT.md](SECURITY_AUDIT.md) for detailed security information and [HTML_SANITIZATION.md](HTML_SANITIZATION.md) for sanitization details.
+
 ## Future Enhancements
 
 - Support for MySQL database (currently uses PostgreSQL in Docker)

assets/js/modules/items.js

@@ -241,12 +241,21 @@ function renderItemContent(item) {
         </div>
     ` : `<div class="item-content-meta">${metaContent}</div>`;
 
+    // Sanitize HTML content with DOMPurify if available (defense in depth)
+    const sanitizedContent = (typeof DOMPurify !== 'undefined') 
+        ? DOMPurify.sanitize(content, { 
+            ALLOWED_TAGS: ['p', 'br', 'strong', 'b', 'em', 'i', 'u', 'a', 'ul', 'ol', 'li', 'blockquote', 'pre', 'code', 'img', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'div', 'span', 'table', 'thead', 'tbody', 'tr', 'td', 'th'],
+            ALLOWED_ATTR: ['href', 'title', 'target', 'src', 'alt', 'width', 'height', 'style', 'rel'],
+            ALLOW_DATA_ATTR: false
+        })
+        : content; // Fallback if DOMPurify not loaded
+    
     itemContent.innerHTML = `
         <div class="item-content-body">
             ${titleRow}
             ${metaRow}
             <div class="item-content-text">
-                ${content}
+                ${sanitizedContent}
             </div>
         </div>
     `;

composer.json

@@ -11,7 +11,8 @@
         "ext-json": "*",
         "ext-simplexml": "*",
         "ext-libxml": "*",
-        "monolog/monolog": "^3.0"
+        "monolog/monolog": "^3.0",
+        "ezyang/htmlpurifier": "^4.16"
     },
     "require-dev": {
         "phpunit/phpunit": "^10.0",