From c374020f15160587c36b400d551c285f6f095988 Mon Sep 17 00:00:00 2001
From: Sahil Malhotra <smalhotra@mitre.org>
Date: Mon, 15 Dec 2025 11:14:21 -0500
Subject: [PATCH 1/4] impliment middleware to prevent xss attacks

---
 frontend/vite-xss-middleware.ts | 41 +++++++++++++++++++++++++++++++++
 frontend/vite.config.ts         |  5 ++--
 2 files changed, 43 insertions(+), 3 deletions(-)
 create mode 100644 frontend/vite-xss-middleware.ts

diff --git a/frontend/vite-xss-middleware.ts b/frontend/vite-xss-middleware.ts
new file mode 100644
index 0000000..a20238d
--- /dev/null
+++ b/frontend/vite-xss-middleware.ts
@@ -0,0 +1,41 @@
+// vite-xss-fix.ts
+import { Plugin } from 'vite';
+
+export function viteXssMiddleware(): Plugin {
+  const middleware = (req: any, res: any, next: any) => {
+    const originalEnd = res.end;
+    const chunks: any[] = [];
+
+    res.end = function(chunk?: any) {
+      if (chunk) chunks.push(Buffer.from(chunk));
+      
+      const body = Buffer.concat(chunks).toString();
+      
+      // If Vite's error message is reflecting user input, replace it
+      if (body.includes('did you mean to visit') && body.includes('<a href=')) {
+        const safe = 
+        `<!DOCTYPE html>
+            <html>
+            <head><title>404 Not Found</title></head>
+            <body><h1>404 - Page Not Found</h1></body>
+            </html>`;
+        res.setHeader('Content-Type', 'text/html');
+        return originalEnd.call(res, safe);
+      }
+      
+      return originalEnd.call(res, Buffer.concat(chunks));
+    };
+
+    next();
+  };
+
+  return {
+    name: 'vite-xss-fix',
+    configureServer(server) {
+      server.middlewares.use(middleware);
+    },
+    configurePreviewServer(server) {
+      server.middlewares.use(middleware);
+    }
+  };
+}
\ No newline at end of file
diff --git a/frontend/vite.config.ts b/frontend/vite.config.ts
index 187cc8c..99ce05d 100644
--- a/frontend/vite.config.ts
+++ b/frontend/vite.config.ts
@@ -1,13 +1,12 @@
 import { defineConfig } from 'vite';
 import react from '@vitejs/plugin-react';
-
+import { viteXssMiddleware } from './vite-xss-middleware';
 import dotenv from 'dotenv';
 
 dotenv.config({ path: '.env' }); // load env vars from .env
 export default defineConfig({
-  // depending on your application, base can also be "/"
   base: process.env.REACT_APP_VITE_BASE || '',
-  plugins: [react()],
+  plugins: [react(), viteXssMiddleware()],
   preview: {
     allowedHosts: ['.mitre.org', '.elb.us-east-1.amazonaws.com'],
     port: parseInt(process.env.PORT!),

From cf669b772602d68ca1e80c6996427e06fe6ab89b Mon Sep 17 00:00:00 2001
From: Sahil Malhotra <smalhotra@mitre.org>
Date: Mon, 15 Dec 2025 11:19:13 -0500
Subject: [PATCH 2/4] run lint

---
 frontend/vite-xss-middleware.ts | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/frontend/vite-xss-middleware.ts b/frontend/vite-xss-middleware.ts
index a20238d..215c5e6 100644
--- a/frontend/vite-xss-middleware.ts
+++ b/frontend/vite-xss-middleware.ts
@@ -6,15 +6,14 @@ export function viteXssMiddleware(): Plugin {
     const originalEnd = res.end;
     const chunks: any[] = [];
 
-    res.end = function(chunk?: any) {
+    res.end = function (chunk?: any) {
       if (chunk) chunks.push(Buffer.from(chunk));
-      
+
       const body = Buffer.concat(chunks).toString();
-      
+
       // If Vite's error message is reflecting user input, replace it
       if (body.includes('did you mean to visit') && body.includes('<a href=')) {
-        const safe = 
-        `<!DOCTYPE html>
+        const safe = `<!DOCTYPE html>
             <html>
             <head><title>404 Not Found</title></head>
             <body><h1>404 - Page Not Found</h1></body>
@@ -22,7 +21,7 @@ export function viteXssMiddleware(): Plugin {
         res.setHeader('Content-Type', 'text/html');
         return originalEnd.call(res, safe);
       }
-      
+
       return originalEnd.call(res, Buffer.concat(chunks));
     };
 
@@ -38,4 +37,4 @@ export function viteXssMiddleware(): Plugin {
       server.middlewares.use(middleware);
     }
   };
-}
\ No newline at end of file
+}

From 01548b8913e257f7272b914b1c2f547303f7ac4e Mon Sep 17 00:00:00 2001
From: Sahil Malhotra <smalhotra@mitre.org>
Date: Mon, 15 Dec 2025 11:20:29 -0500
Subject: [PATCH 3/4] update index to not include intermediary title

---
 frontend/index.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/frontend/index.html b/frontend/index.html
index 1154229..6285209 100644
--- a/frontend/index.html
+++ b/frontend/index.html
@@ -4,7 +4,7 @@
     <meta charset="UTF-8" />
     <link rel="icon" type="image/png" href="/intermediary.png" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <title>Rems Intermediary UI</title>
+    <title>Pharmacy Information Management System</title>
   </head>
   <body>
     <div id="root"></div>

From 286a704bd1c381d526fd4353ab186117ebe7b830 Mon Sep 17 00:00:00 2001
From: Sahil Malhotra <smalhotra@mitre.org>
Date: Mon, 15 Dec 2025 11:21:12 -0500
Subject: [PATCH 4/4] update title to be PIMS short hand

---
 frontend/index.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/frontend/index.html b/frontend/index.html
index 6285209..d238940 100644
--- a/frontend/index.html
+++ b/frontend/index.html
@@ -4,7 +4,7 @@
     <meta charset="UTF-8" />
     <link rel="icon" type="image/png" href="/intermediary.png" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <title>Pharmacy Information Management System</title>
+    <title>PIMS Pharmacy</title>
   </head>
   <body>
     <div id="root"></div>