# Quick Fix Guide - Critical Security Issues ## 🔴 CRITICAL: Fix These Immediately ### 1. XSS Vulnerability Fix **File:** `src/utils/customFunctions/TextLimit.js` **Install sanitization library:** ```bash npm install isomorphic-dompurify ``` **Replace the sanitizeAndTrustHtml function:** ```javascript import DOMPurify from 'isomorphic-dompurify'; const sanitizeAndTrustHtml = (htmlString) => { return { __html: DOMPurify.sanitize(htmlString) }; }; ``` --- ### 2. Implement Middleware Authentication **File:** `src/middleware.js` **Replace with:** ```javascript import { NextResponse } from 'next/server'; export async function middleware(request) { const token = request.cookies.get('uat')?.value; const { pathname } = request.nextUrl; // Public routes that don't require authentication const publicRoutes = ['/auth/login', '/auth/register', '/auth/forgot-password']; const isPublicRoute = publicRoutes.some(route => pathname.includes(route)); // Redirect to login if no token and not on public route if (!token && !isPublicRoute) { const loginUrl = new URL('/en/auth/login', request.url); return NextResponse.redirect(loginUrl); } // Redirect to dashboard if has token and on login page if (token && pathname.includes('/auth/login')) { const dashboardUrl = new URL('/en/dashboard', request.url); return NextResponse.redirect(dashboardUrl); } return NextResponse.next(); } export const config = { matcher: [ "/", "/account", "/attachment/:path*", "/attribute/:path*", "/auth/:path*", "/blog/:path*", "/category/:path*", "/checkout", "/commission_history", "/coupon/:path*", "/currency/:path*", "/dashboard", "/dashboard/:path*", "/faq/:path*", "/notification/:path*", "/order/:path*", "/page/:path*", "/payment_account/:path*", "/point/:path*", "/product/:path*", "/refund", "/review/:path*", "/role/", "/setting/:path*", "/shipping/:path*", "/store/:path*", "/tag/:path*", "/tax/:path*", "/theme/:path*", "/theme_option/:path*", "/user/:path*", "/vendore_wallet/:path*", "/wallet/:path*", "/withdraw_request/:path*", "/vendor_wallet/:path*", "/theme/denver", "/notifications", "/qna", ], }; ``` --- ### 3. Update .gitignore **File:** `.gitignore` **Replace with:** ```gitignore # Dependencies node_modules/ /.pnp .pnp.js # Testing /coverage # Next.js /.next/ /out/ # Production /build # Misc .DS_Store *.pem # Debug npm-debug.log* yarn-debug.log* yarn-error.log* # Local env files .env .env*.local # Vercel .vercel # TypeScript *.tsbuildinfo next-env.d.ts # IDE .vscode/ .idea/ *.swp *.swo *~ # OS .DS_Store Thumbs.db ``` --- ### 4. Enable React Strict Mode **File:** `next.config.js` **Change:** ```javascript const nextConfig = { reactStrictMode: true, // ✅ Enable this // ... rest of config }; ``` --- ### 5. Fix Axios Error Handling **File:** `src/utils/axiosUtils/index.js` **Replace the onError function:** ```javascript const onError = (error) => { const status = error?.response?.status; // Handle specific status codes if (status === 401) { // Unauthorized - clear auth and redirect to login document.cookie = 'uat=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/;'; router?.push("/en/auth/login"); } else if (status === 403) { // Forbidden router?.push("/en/403"); } // Always reject the promise so calling code can handle errors return Promise.reject(error); }; ``` --- ### 6. Remove Console Statements **Files to update:** 1. `src/components/product/DateRangePicker.js:35` - Remove: `console.log('Date range error handled:', error.message);` 2. `src/components/role/PermissionForm.js:19` - Remove: `console.log(errors[0]?.message);` - Replace with proper error handling 3. `src/app/[lng]/layout.js:7` - Remove: `console.log("err", err)` - Replace with proper error handling or logging service --- ### 7. Fix GetCookie Function **File:** `src/utils/customFunctions/GetCookie.js` **Replace with:** ```javascript export default function getCookie(cname) { if (typeof document === 'undefined') return ''; const name = cname + "="; const decodedCookie = decodeURIComponent(document.cookie); const ca = decodedCookie.split(";"); for (let i = 0; i < ca.length; i++) { let c = ca[i]; while (c.charAt(0) === " ") { // ✅ Use strict equality c = c.substring(1); } if (c.indexOf(name) === 0) { // ✅ Use strict equality return c.substring(name.length, c.length); } } return ""; } export function checkCookie() { const username = getCookie("username"); return username !== "" && Boolean(username); // ✅ Use strict equality } ``` --- ## 🔧 Automated Fix Script Create a file `scripts/fix-equality.sh`: ```bash #!/bin/bash # This script replaces loose equality operators with strict ones # Run with: bash scripts/fix-equality.sh echo "Fixing loose equality operators..." # Find all .js and .jsx files and replace == with === find src -type f \( -name "*.js" -o -name "*.jsx" \) -exec sed -i 's/ == / === /g' {} + find src -type f \( -name "*.js" -o -name "*.jsx" \) -exec sed -i 's/ != / !== /g' {} + # Fix specific patterns find src -type f \( -name "*.js" -o -name "*.jsx" \) -exec sed -i 's/(==/===/g' {} + find src -type f \( -name "*.js" -o -name "*.jsx" \) -exec sed -i 's/==)/===/g' {} + echo "Done! Please review changes before committing." echo "Run 'git diff' to see what changed." ``` **Usage:** ```bash chmod +x scripts/fix-equality.sh ./scripts/fix-equality.sh ``` **⚠️ Warning:** Review all changes carefully as some comparisons might intentionally use loose equality. --- ## 📋 Verification Checklist After applying fixes, verify: - [ ] XSS vulnerability fixed (test with malicious HTML input) - [ ] Middleware redirects unauthenticated users - [ ] .gitignore prevents committing sensitive files - [ ] React Strict Mode enabled (check for warnings) - [ ] Axios properly rejects errors - [ ] No console statements in production code - [ ] All equality operators are strict (===, !==) - [ ] Application still functions correctly - [ ] Run `npm run lint` and fix any errors - [ ] Test authentication flow - [ ] Test permission-based routing --- ## 🚀 Deployment Checklist Before deploying to production: - [ ] All critical fixes applied - [ ] Environment variables properly configured - [ ] .env files not committed to git - [ ] Build succeeds without errors - [ ] No console warnings in production build - [ ] Security headers configured - [ ] HTTPS enabled - [ ] Rate limiting implemented - [ ] Error monitoring setup (Sentry, etc.) - [ ] Backup strategy in place --- ## 📞 Support If you encounter issues while applying these fixes: 1. Check the full CODE_REVIEW.md for detailed explanations 2. Test each fix individually 3. Use git to track changes and revert if needed 4. Consider creating a feature branch for these fixes --- **Last Updated:** January 2026