[VPAT-55] chore(security): implement input validation across authentication and workspace forms (#8528)

* chore(security): implement input validation across authentication and workspace forms - Add OWASP-compliant autocomplete attributes to all auth input fields - Create centralized validation utilities blocking injection-risk characters - Apply validation to names, display names, workspace names, and slugs - Block special characters: < > ' " % # { } [ ] * ^ ! - Secure sensitive input fields across admin, web, and space apps * chore: add missing workspace name validation to settings and admin forms * feat: enhance validation regex for international names and usernames - Updated regex patterns to support Unicode characters for person names, display names, company names, and slugs. - Improved validation functions to block injection-risk characters in names and slugs.
2026-02-17 00:18:46 +05:30 · 2026-02-17 00:18:46 +05:30 · 49fc6aa0a0
commit 49fc6aa0a0
parent 55e89cb8fc
11 changed files with 281 additions and 54 deletions
--- a/apps/admin/components/instance/setup-form.tsx
+++ b/apps/admin/components/instance/setup-form.tsx
@ -13,7 +13,7 @@ import { API_BASE_URL, E_PASSWORD_STRENGTH } from "@plane/constants";
 import { Button } from "@plane/propel/button";
 import { AuthService } from "@plane/services";
 import { Checkbox, Input, PasswordStrengthIndicator, Spinner } from "@plane/ui";
-import { getPasswordStrength } from "@plane/utils";
+import { getPasswordStrength, validatePersonName, validateCompanyName } from "@plane/utils";
 // components
 import { AuthHeader } from "@/app/(all)/(home)/auth-header";
 import { Banner } from "../common/banner";
@ -173,9 +173,15 @@ export function InstanceSetupForm() {
                  inputSize="md"
                  placeholder="Wilber"
                  value={formData.first_name}
-                  onChange={(e) => handleFormChange("first_name", e.target.value)}
-                  autoComplete="on"
+                  onChange={(e) => {
+                    const validation = validatePersonName(e.target.value);
+                    if (validation === true || e.target.value === "") {
+                      handleFormChange("first_name", e.target.value);
+                    }
+                  }}
+                  autoComplete="off"
                  autoFocus
+                  maxLength={50}
                />
              </div>
              <div className="w-full space-y-1">
@ -190,8 +196,14 @@ export function InstanceSetupForm() {
                  inputSize="md"
                  placeholder="Wright"
                  value={formData.last_name}
-                  onChange={(e) => handleFormChange("last_name", e.target.value)}
-                  autoComplete="on"
+                  onChange={(e) => {
+                    const validation = validatePersonName(e.target.value);
+                    if (validation === true || e.target.value === "") {
+                      handleFormChange("last_name", e.target.value);
+                    }
+                  }}
+                  autoComplete="off"
+                  maxLength={50}
                />
              </div>
            </div>
@ -229,7 +241,13 @@ export function InstanceSetupForm() {
                inputSize="md"
                placeholder="Company name"
                value={formData.company_name}
-                onChange={(e) => handleFormChange("company_name", e.target.value)}
+                onChange={(e) => {
+                  const validation = validateCompanyName(e.target.value, false);
+                  if (validation === true || e.target.value === "") {
+                    handleFormChange("company_name", e.target.value);
+                  }
+                }}
+                maxLength={80}
              />
            </div>