feat(security): enhance input validation and security measures across various routes

server/routes/calendar.js

@@ -16,6 +16,9 @@ import { rateLimit } from 'express-rate-limit';
 
 const router = Router();
 
+// Allowlist for CSS color values - only permits hsl(), hex (#rgb/#rrggbb) and plain names
+const SAFE_COLOR_RE = /^(?:#[0-9a-fA-F]{3,8}|hsl\(\d{1,3},\s*\d{1,3}%,\s*\d{1,3}%\)|[a-zA-Z]{1,30})$/;
+
 // Rate limit for federation calendar receive
 const calendarFederationLimiter = rateLimit({
   windowMs: 15 * 60 * 1000,
@@ -121,6 +124,11 @@ router.post('/events', authenticateToken, async (req, res) => {
     if (title.length > 200) return res.status(400).json({ error: 'Title must not exceed 200 characters' });
     if (description && description.length > 5000) return res.status(400).json({ error: 'Description must not exceed 5000 characters' });
 
+    // Validate color format
+    if (color && !SAFE_COLOR_RE.test(color)) {
+      return res.status(400).json({ error: 'Invalid color format' });
+    }
+
     const startDate = new Date(start_time);
     const endDate = new Date(end_time);
     if (isNaN(startDate.getTime()) || isNaN(endDate.getTime())) {
@@ -172,6 +180,11 @@ router.put('/events/:id', authenticateToken, async (req, res) => {
     if (title && title.length > 200) return res.status(400).json({ error: 'Title must not exceed 200 characters' });
     if (description && description.length > 5000) return res.status(400).json({ error: 'Description must not exceed 5000 characters' });
 
+    // Validate color format
+    if (color && !SAFE_COLOR_RE.test(color)) {
+      return res.status(400).json({ error: 'Invalid color format' });
+    }
+
     if (start_time && end_time) {
       const s = new Date(start_time);
       const e = new Date(end_time);