@jgardner04/ghost-mcp-server 1.11.0 → 1.12.0

package/src/schemas/__tests__/common.test.js

@@ -177,6 +177,90 @@ describe('Common Schemas', () => {
     it('should reject empty strings', () => {
       expect(() => htmlContentSchema.parse('')).toThrow();
     });
+
+    // XSS Prevention Tests
+    describe('XSS sanitization', () => {
+      it('should strip script tags', () => {
+        const result = htmlContentSchema.parse('<p>Safe</p><script>alert("xss")</script>');
+        expect(result).not.toContain('<script>');
+        expect(result).not.toContain('alert');
+        expect(result).toContain('<p>Safe</p>');
+      });
+
+      it('should strip onclick and other event handlers', () => {
+        const result = htmlContentSchema.parse('<p onclick="alert(1)">Click me</p>');
+        expect(result).not.toContain('onclick');
+        expect(result).toContain('<p>Click me</p>');
+      });
+
+      it('should strip javascript: URLs', () => {
+        const result = htmlContentSchema.parse('<a href="javascript:alert(1)">Link</a>');
+        expect(result).not.toContain('javascript:');
+      });
+
+      it('should strip onerror handlers on images', () => {
+        const result = htmlContentSchema.parse('<img src="x" onerror="alert(1)">');
+        expect(result).not.toContain('onerror');
+      });
+
+      it('should allow safe tags', () => {
+        const safeHtml =
+          '<h1>Title</h1><p>Paragraph</p><a href="https://example.com">Link</a><ul><li>Item</li></ul>';
+        const result = htmlContentSchema.parse(safeHtml);
+        expect(result).toContain('<h1>');
+        expect(result).toContain('<p>');
+        expect(result).toContain('<a ');
+        expect(result).toContain('<ul>');
+        expect(result).toContain('<li>');
+      });
+
+      it('should allow safe attributes on links', () => {
+        const result = htmlContentSchema.parse(
+          '<a href="https://example.com" title="Example">Link</a>'
+        );
+        expect(result).toContain('href="https://example.com"');
+        expect(result).toContain('title="Example"');
+      });
+
+      it('should allow safe attributes on images', () => {
+        const result = htmlContentSchema.parse(
+          '<img src="https://example.com/img.jpg" alt="Description" title="Title" width="100" height="100">'
+        );
+        expect(result).toContain('src="https://example.com/img.jpg"');
+        expect(result).toContain('alt="Description"');
+      });
+
+      it('should strip style attributes by default', () => {
+        const result = htmlContentSchema.parse('<p style="color: red">Styled</p>');
+        expect(result).not.toContain('style=');
+      });
+
+      it('should strip iframe tags', () => {
+        const result = htmlContentSchema.parse(
+          '<iframe src="https://evil.com"></iframe><p>Safe</p>'
+        );
+        expect(result).not.toContain('<iframe');
+        expect(result).toContain('<p>Safe</p>');
+      });
+
+      it('should strip data: URLs on images', () => {
+        // data: URLs can be used for XSS in some contexts
+        const result = htmlContentSchema.parse(
+          '<img src="data:text/html,<script>alert(1)</script>">'
+        );
+        // The src should either be removed or the tag stripped
+        expect(result).not.toContain('<script>');
+      });
+
+      it('should preserve text content while stripping dangerous elements', () => {
+        const result = htmlContentSchema.parse(
+          '<div>Safe text<script>evil()</script> more text</div>'
+        );
+        expect(result).toContain('Safe text');
+        expect(result).toContain('more text');
+        expect(result).not.toContain('evil');
+      });
+    });
   });
 
   describe('titleSchema', () => {

package/src/schemas/common.js

@@ -1,10 +1,54 @@
 import { z } from 'zod';
+import sanitizeHtml from 'sanitize-html';
 
 /**
  * Common Zod schemas for validation across all Ghost MCP resources.
  * These validators provide consistent validation and security controls.
  */
 
+/**
+ * HTML sanitization configuration
+ * Prevents XSS attacks by allowing only safe HTML tags and attributes
+ */
+const htmlSanitizeConfig = {
+  allowedTags: [
+    'h1',
+    'h2',
+    'h3',
+    'h4',
+    'h5',
+    'h6',
+    'blockquote',
+    'p',
+    'a',
+    'ul',
+    'ol',
+    'nl',
+    'li',
+    'b',
+    'i',
+    'strong',
+    'em',
+    'strike',
+    'code',
+    'hr',
+    'br',
+    'div',
+    'span',
+    'img',
+    'pre',
+    'figure',
+    'figcaption',
+  ],
+  allowedAttributes: {
+    a: ['href', 'name', 'target', 'rel', 'title'],
+    img: ['src', 'alt', 'title', 'width', 'height'],
+    '*': ['class', 'id'],
+  },
+  allowedSchemes: ['http', 'https', 'mailto'],
+  allowedSchemesAppliedToAttributes: ['href', 'src'],
+};
+
 // ----- Basic Type Validators -----
 
 /**
@@ -106,10 +150,13 @@ export const visibilitySchema = z.enum(['public', 'members', 'paid', 'tiers'], {
 
 /**
  * HTML content validation schema
- * Validates that content is a non-empty string
- * Note: HTML sanitization should be performed separately
+ * Validates that content is a non-empty string and sanitizes HTML to prevent XSS
+ * Uses transform to sanitize HTML at schema level (defense-in-depth)
  */
-export const htmlContentSchema = z.string().min(1, 'HTML content cannot be empty');
+export const htmlContentSchema = z
+  .string()
+  .min(1, 'HTML content cannot be empty')
+  .transform((html) => sanitizeHtml(html, htmlSanitizeConfig));
 
 /**
  * Title validation schema

package/src/services/__tests__/ghostServiceImproved.members.test.js

@@ -128,24 +128,9 @@ describe('ghostServiceImproved - Members', () => {
       expect(result).toEqual(mockCreatedMember);
     });
 
-    it('should throw validation error for missing email', async () => {
-      await expect(createMember({})).rejects.toThrow('Member validation failed');
-    });
-
-    it('should throw validation error for invalid email', async () => {
-      await expect(createMember({ email: 'invalid-email' })).rejects.toThrow(
-        'Member validation failed'
-      );
-    });
-
-    it('should throw validation error for invalid labels type', async () => {
-      await expect(
-        createMember({
-          email: 'test@example.com',
-          labels: 'premium',
-        })
-      ).rejects.toThrow('Member validation failed');
-    });
+    // NOTE: Input validation tests (missing email, invalid email, invalid labels)
+    // have been moved to MCP layer tests. The service layer now relies on
+    // Zod schema validation at the MCP tool layer.
 
     it('should handle Ghost API errors', async () => {
       const memberData = {
@@ -225,11 +210,8 @@ describe('ghostServiceImproved - Members', () => {
       );
     });
 
-    it('should throw validation error for invalid email in update', async () => {
-      await expect(updateMember('member-1', { email: 'invalid-email' })).rejects.toThrow(
-        'Member validation failed'
-      );
-    });
+    // NOTE: Input validation tests (invalid email in update) have been moved to
+    // MCP layer tests. The service layer now relies on Zod schema validation.
 
     it('should throw not found error if member does not exist', async () => {
       api.members.read.mockRejectedValue({
@@ -345,14 +327,8 @@ describe('ghostServiceImproved - Members', () => {
       );
     });
 
-    it('should throw validation error for invalid limit', async () => {
-      await expect(getMembers({ limit: 0 })).rejects.toThrow('Member query validation failed');
-      await expect(getMembers({ limit: 101 })).rejects.toThrow('Member query validation failed');
-    });
-
-    it('should throw validation error for invalid page', async () => {
-      await expect(getMembers({ page: 0 })).rejects.toThrow('Member query validation failed');
-    });
+    // NOTE: Input validation tests (invalid limit, invalid page) have been moved to
+    // MCP layer tests. The service layer now relies on Zod schema validation.
 
     it('should return empty array when no members found', async () => {
       api.members.browse.mockResolvedValue([]);
@@ -407,15 +383,8 @@ describe('ghostServiceImproved - Members', () => {
       expect(result).toEqual(mockMember);
     });
 
-    it('should throw validation error when neither id nor email provided', async () => {
-      await expect(getMember({})).rejects.toThrow('Member lookup validation failed');
-    });
-
-    it('should throw validation error for invalid email format', async () => {
-      await expect(getMember({ email: 'invalid-email' })).rejects.toThrow(
-        'Member lookup validation failed'
-      );
-    });
+    // NOTE: Input validation tests (missing id/email, invalid email format) have been
+    // moved to MCP layer tests. The service layer now relies on Zod schema validation.
 
     it('should throw not found error when member not found by ID', async () => {
       api.members.read.mockRejectedValue({
@@ -493,27 +462,9 @@ describe('ghostServiceImproved - Members', () => {
       );
     });
 
-    it('should throw validation error for empty query', async () => {
-      await expect(searchMembers('')).rejects.toThrow('Search query validation failed');
-      await expect(searchMembers('   ')).rejects.toThrow('Search query validation failed');
-    });
-
-    it('should throw validation error for non-string query', async () => {
-      await expect(searchMembers(123)).rejects.toThrow('Search query validation failed');
-      await expect(searchMembers(null)).rejects.toThrow('Search query validation failed');
-    });
-
-    it('should throw validation error for invalid limit', async () => {
-      await expect(searchMembers('test', { limit: 0 })).rejects.toThrow(
-        'Search options validation failed'
-      );
-      await expect(searchMembers('test', { limit: 51 })).rejects.toThrow(
-        'Search options validation failed'
-      );
-      await expect(searchMembers('test', { limit: 100 })).rejects.toThrow(
-        'Search options validation failed'
-      );
-    });
+    // NOTE: Input validation tests (empty query, non-string query, invalid limit)
+    // have been moved to MCP layer tests. The service layer now relies on
+    // Zod schema validation at the MCP tool layer.
 
     it('should sanitize query to prevent NQL injection', async () => {
       const mockMembers = [];

package/src/services/__tests__/postService.test.js

@@ -26,7 +26,11 @@ describe('postService', () => {
     vi.clearAllMocks();
   });
 
-  describe('createPostService - validation', () => {
+  // NOTE: Input validation tests have been moved to MCP layer tests.
+  // The postService no longer performs Joi validation - input is validated
+  // by Zod schemas at the MCP tool layer (see mcp_server_improved.js).
+
+  describe('createPostService - basic functionality', () => {
     it('should accept valid input and create a post', async () => {
       const validInput = {
         title: 'Test Post',
@@ -47,41 +51,6 @@ describe('postService', () => {
       );
     });
 
-    it('should reject input with missing title', async () => {
-      const invalidInput = {
-        html: '<p>Test content</p>',
-      };
-
-      await expect(createPostService(invalidInput)).rejects.toThrow(
-        'Invalid post input: "title" is required'
-      );
-      expect(createPost).not.toHaveBeenCalled();
-    });
-
-    it('should reject input with missing html', async () => {
-      const invalidInput = {
-        title: 'Test Post',
-      };
-
-      await expect(createPostService(invalidInput)).rejects.toThrow(
-        'Invalid post input: "html" is required'
-      );
-      expect(createPost).not.toHaveBeenCalled();
-    });
-
-    it('should reject input with invalid status', async () => {
-      const invalidInput = {
-        title: 'Test Post',
-        html: '<p>Content</p>',
-        status: 'invalid-status',
-      };
-
-      await expect(createPostService(invalidInput)).rejects.toThrow(
-        'Invalid post input: "status" must be one of [draft, published, scheduled]'
-      );
-      expect(createPost).not.toHaveBeenCalled();
-    });
-
     it('should accept valid status values', async () => {
       const statuses = ['draft', 'published', 'scheduled'];
       createPost.mockResolvedValue({ id: '1', title: 'Test' });
@@ -100,39 +69,6 @@ describe('postService', () => {
       }
     });
 
-    it('should validate tags array with maximum length', async () => {
-      const invalidInput = {
-        title: 'Test Post',
-        html: '<p>Content</p>',
-        tags: Array(11).fill('tag'), // 11 tags exceeds max of 10
-      };
-
-      await expect(createPostService(invalidInput)).rejects.toThrow('Invalid post input:');
-      expect(createPost).not.toHaveBeenCalled();
-    });
-
-    it('should validate tag string max length', async () => {
-      const invalidInput = {
-        title: 'Test Post',
-        html: '<p>Content</p>',
-        tags: ['a'.repeat(51)], // 51 chars exceeds max of 50
-      };
-
-      await expect(createPostService(invalidInput)).rejects.toThrow('Invalid post input:');
-      expect(createPost).not.toHaveBeenCalled();
-    });
-
-    it('should validate feature_image is a valid URI', async () => {
-      const invalidInput = {
-        title: 'Test Post',
-        html: '<p>Content</p>',
-        feature_image: 'not-a-valid-url',
-      };
-
-      await expect(createPostService(invalidInput)).rejects.toThrow('Invalid post input:');
-      expect(createPost).not.toHaveBeenCalled();
-    });
-
     it('should accept valid feature_image URI', async () => {
       const validInput = {
         title: 'Test Post',
@@ -217,27 +153,7 @@ describe('postService', () => {
       );
     });
 
-    it('should reject tags array with non-string values', async () => {
-      const input = {
-        title: 'Test Post',
-        html: '<p>Content</p>',
-        tags: [null, 'valid-tag'],
-      };
-
-      await expect(createPostService(input)).rejects.toThrow('Invalid post input:');
-      expect(createPost).not.toHaveBeenCalled();
-    });
-
-    it('should reject tags array with empty strings', async () => {
-      const input = {
-        title: 'Test Post',
-        html: '<p>Content</p>',
-        tags: ['', 'valid-tag'],
-      };
-
-      await expect(createPostService(input)).rejects.toThrow('Invalid post input:');
-      expect(createPost).not.toHaveBeenCalled();
-    });
+    // NOTE: Tag validation tests (non-string values, empty strings) moved to MCP layer
 
     it('should trim whitespace from tag names', async () => {
       const input = {
@@ -383,15 +299,7 @@ describe('postService', () => {
       expect(calledDescription).toBe('a'.repeat(497) + '...');
     });
 
-    it('should reject empty HTML content', async () => {
-      const input = {
-        title: 'Test Post',
-        html: '',
-      };
-
-      await expect(createPostService(input)).rejects.toThrow('Invalid post input:');
-      expect(createPost).not.toHaveBeenCalled();
-    });
+    // NOTE: Empty HTML validation test moved to MCP layer
 
     it('should strip HTML tags and truncate when generating meta_description', async () => {
       const longHtml = '<p>' + 'word '.repeat(200) + '</p>';

package/src/services/ghostServiceImproved.js

@@ -792,10 +792,7 @@ export async function deleteTag(tagId) {
  * @throws {GhostAPIError} If the API request fails
  */
 export async function createMember(memberData, options = {}) {
-  // Import and validate input
-  const { validateMemberData } = await import('./memberService.js');
-  validateMemberData(memberData);
-
+  // Input validation is performed at the MCP tool layer using Zod schemas
   try {
     return await handleApiRequest('members', 'add', memberData, options);
   } catch (error) {
@@ -825,14 +822,11 @@ export async function createMember(memberData, options = {}) {
  * @throws {GhostAPIError} If the API request fails
  */
 export async function updateMember(memberId, updateData, options = {}) {
+  // Input validation is performed at the MCP tool layer using Zod schemas
   if (!memberId) {
     throw new ValidationError('Member ID is required for update');
   }
 
-  // Import and validate update data
-  const { validateMemberUpdateData } = await import('./memberService.js');
-  validateMemberUpdateData(updateData);
-
   try {
     // Get existing member to retrieve updated_at for conflict resolution
     const existingMember = await handleApiRequest('members', 'read', { id: memberId });
@@ -889,10 +883,7 @@ export async function deleteMember(memberId) {
  * @throws {GhostAPIError} If the API request fails
  */
 export async function getMembers(options = {}) {
-  // Import and validate query options
-  const { validateMemberQueryOptions } = await import('./memberService.js');
-  validateMemberQueryOptions(options);
-
+  // Input validation is performed at the MCP tool layer using Zod schemas
   const defaultOptions = {
     limit: 15,
     ...options,
@@ -918,12 +909,12 @@ export async function getMembers(options = {}) {
  * @throws {GhostAPIError} If the API request fails
  */
 export async function getMember(params) {
-  // Import and validate lookup parameters
-  const { validateMemberLookup, sanitizeNqlValue } = await import('./memberService.js');
-  const { lookupType, id, email } = validateMemberLookup(params);
+  // Input validation is performed at the MCP tool layer using Zod schemas
+  const { sanitizeNqlValue } = await import('./memberService.js');
+  const { id, email } = params;
 
   try {
-    if (lookupType === 'id') {
+    if (id) {
       // Lookup by ID using read endpoint
       return await handleApiRequest('members', 'read', { id }, { id });
     } else {
@@ -960,11 +951,9 @@ export async function getMember(params) {
  * @throws {GhostAPIError} If the API request fails
  */
 export async function searchMembers(query, options = {}) {
-  // Import and validate search query and options
-  const { validateSearchQuery, validateSearchOptions, sanitizeNqlValue } =
-    await import('./memberService.js');
-  validateSearchOptions(options);
-  const sanitizedQuery = sanitizeNqlValue(validateSearchQuery(query));
+  // Input validation is performed at the MCP tool layer using Zod schemas
+  const { sanitizeNqlValue } = await import('./memberService.js');
+  const sanitizedQuery = sanitizeNqlValue(query.trim());
 
   const limit = options.limit || 15;
 

package/src/services/postService.js

@@ -1,12 +1,10 @@
 import sanitizeHtml from 'sanitize-html';
-import Joi from 'joi';
 import { createContextLogger } from '../utils/logger.js';
 import {
   createPost as createGhostPost,
   getTags as getGhostTags,
   createTag as createGhostTag,
-  // Import other necessary functions from ghostService later
-} from './ghostService.js'; // Note the relative path
+} from './ghostService.js';
 
 /**
  * Helper to generate a simple meta description from HTML content.
@@ -37,37 +35,13 @@ const generateSimpleMetaDescription = (htmlContent, maxLength = 500) => {
 /**
  * Service layer function to handle the business logic of creating a post.
  * Transforms input data, handles/resolves tags, includes feature image and metadata.
- * @param {object} postInput - Data received from the controller.
+ * Input validation is handled at the MCP layer using Zod schemas.
+ * @param {object} postInput - Validated data received from the MCP tool.
  * @returns {Promise<object>} The created post object from the Ghost API.
  */
-// Validation schema for post input
-const postInputSchema = Joi.object({
-  title: Joi.string().max(255).required(),
-  html: Joi.string().required(),
-  custom_excerpt: Joi.string().max(500).optional(),
-  status: Joi.string().valid('draft', 'published', 'scheduled').optional(),
-  published_at: Joi.string().isoDate().optional(),
-  tags: Joi.array().items(Joi.string().max(50)).max(10).optional(),
-  feature_image: Joi.string().uri().optional(),
-  feature_image_alt: Joi.string().max(255).optional(),
-  feature_image_caption: Joi.string().max(500).optional(),
-  meta_title: Joi.string().max(70).optional(),
-  meta_description: Joi.string().max(160).optional(),
-});
-
 const createPostService = async (postInput) => {
   const logger = createContextLogger('post-service');
 
-  // Validate input to prevent format string vulnerabilities
-  const { error, value: validatedInput } = postInputSchema.validate(postInput);
-  if (error) {
-    logger.error('Post input validation failed', {
-      error: error.details[0].message,
-      inputKeys: Object.keys(postInput),
-    });
-    throw new Error(`Invalid post input: ${error.details[0].message}`);
-  }
-
   const {
     title,
     html,
@@ -80,7 +54,7 @@ const createPostService = async (postInput) => {
     feature_image_caption,
     meta_title,
     meta_description,
-  } = validatedInput;
+  } = postInput;
 
   // --- Resolve Tag Names to Tag Objects (ID/Slug/Name) ---
   let resolvedTags = [];