feat: Implement CSS sanitization utility to prevent injection attacks

- Added `CssSanitizer` class with methods to sanitize CSS values including colors, lengths, fonts, shadows, and generic values.
- Introduced regex patterns and allowlists for validating safe CSS inputs.
- Implemented tests for sanitization methods to ensure malicious inputs are rejected and valid inputs are accepted.

refactor: Update ThemingBenchmarks to remove JSRuntime dependency

- Simplified `BuildCustomPropertyStyle_SimpleTheme` and `BuildCustomPropertyStyle_ComplexTheme` benchmarks by removing mock JSRuntime usage.

test: Add comprehensive security tests for CSS sanitization

- Created `SecurityTests` class to validate the behavior of `CssSanitizer` against various malicious and valid CSS inputs.
- Ensured that all sanitization methods are covered with appropriate test cases.

chore: Remove outdated ThemeManagerTests

- Deleted `ThemeManagerTests` as the theme loading mechanism has been refactored to use CSS classes only, making these tests obsolete.

chore: Clean up ThemingComponentTests by removing JS theme loading tests

- Removed tests related to JS theme loading as the implementation has shifted to CSS class-based theming.

Author: mashrulhaque

README.md

@@ -1031,6 +1031,66 @@ Three source generators ensure AOT compatibility and developer productivity:
 2. **ExpressionValidatorGenerator** - Build-time expression validation with diagnostics
 3. **ConfigurationApplierGenerator** - Auto-generates configuration application (100% coverage)
 
+## Security
+
+This component implements multiple security layers to protect against common web vulnerabilities:
+
+### Built-in Protections
+
+- **CSS Injection Prevention**: All theme customization values are sanitized using allowlist-based validation. Dangerous patterns like `url()`, `expression()`, `<script>`, and CSS injection attempts are automatically blocked.
+- **Memory Exhaustion Protection**: Search input is limited to 2,000 characters maximum to prevent DoS attacks through excessive memory allocation in filtering algorithms.
+- **XSS Protection**: Template content and user input are handled through Blazor's built-in encoding mechanisms.
+- **SIMD Optimization**: AI similarity calculations use hardware-accelerated operations with bounded memory allocation.
+
+### Configuration Limits
+
+```csharp
+<AutoComplete TItem="Product"
+              MaxSearchLength="500"  // Default: 500, Max: 2000
+              ... />
+```
+
+The `MaxSearchLength` parameter allows you to configure the maximum allowed search text length. This prevents:
+- Excessive memory allocation in fuzzy matching algorithms (Levenshtein distance)
+- Performance degradation from processing extremely long search strings
+- Potential denial-of-service attacks
+
+### Theme Customization Safety
+
+All CSS custom properties are validated before rendering:
+
+```csharp
+// ✅ Safe - Valid CSS values pass through
+ThemeOverrides = new ThemeOptions {
+    Colors = new ColorOptions { Primary = "#FF6B6B" },
+    Spacing = new SpacingOptions { BorderRadius = "8px" }
+}
+
+// ❌ Blocked - Malicious values are rejected
+ThemeOverrides = new ThemeOptions {
+    Colors = new ColorOptions { Primary = "url(javascript:alert(1))" }  // Rejected
+}
+```
+
+Supported CSS value types:
+- **Colors**: hex, rgb/rgba, hsl/hsla, named colors
+- **Lengths**: px, em, rem, %, vh, vw (including multi-value like `"10px 20px"`)
+- **Fonts**: Standard font families and generic families
+- **Shadows**: box-shadow and text-shadow syntax
+- **Times**: ms and s units
+
+### Security Best Practices
+
+1. **Use the latest version** to ensure you have all security patches
+2. **Validate user data** on the server side before passing to the component
+3. **Set appropriate `MaxSearchLength`** based on your use case (default 500 is recommended)
+4. **Review theme customizations** if accepting user-provided theme values
+5. **Use CSP headers** for additional XSS protection in production
+
+### Reporting Security Issues
+
+If you discover a security vulnerability, please email [email protected] instead of using the public issue tracker.
+
 ## Contributing
 
 Contributions are welcome! Please read our [Contributing Guide](CONTRIBUTING.md) for details.

src/EasyAppDev.Blazor.AutoComplete/Components/AutoComplete.razor

@@ -29,6 +29,7 @@
                id="@_inputIdValue"
                class="ebd-ac-input"
                placeholder="@Placeholder"
+               maxlength="@GetEffectiveMaxSearchLength()"
                @bind-value="_searchText"
                @bind-value:event="oninput"
                @bind-value:after="OnSearchTextChangedAsync"

src/EasyAppDev.Blazor.AutoComplete/Components/AutoComplete.razor.cs

@@ -223,6 +223,14 @@ public partial class AutoComplete<TItem> : ComponentBase, IAsyncDisposable
     [Parameter]
     public int DebounceMs { get; set; } = 300;
 
+    /// <summary>
+    /// Maximum allowed length for search text to prevent memory exhaustion attacks.
+    /// Default is 500 characters. Maximum allowed value is 2000.
+    /// Values exceeding this limit will be truncated.
+    /// </summary>
+    [Parameter]
+    public int MaxSearchLength { get; set; } = 500;
+
     /// <summary>
     /// Whether to enable virtualization for large datasets.
     /// </summary>
@@ -511,6 +519,13 @@ private void ApplyConfiguration(AutoCompleteConfig<TItem> config)
 
     private async Task OnSearchTextChangedAsync()
     {
+        // Security: Enforce maximum search length to prevent memory exhaustion
+        var effectiveMaxLength = GetEffectiveMaxSearchLength();
+        if (_searchText.Length > effectiveMaxLength)
+        {
+            _searchText = _searchText.Substring(0, effectiveMaxLength);
+        }
+
         if (_searchText.Length >= MinSearchLength)
         {
             if (_debounceTimer != null)
@@ -691,6 +706,15 @@ private void OnValidationStateChanged(object? sender, ValidationStateChangedEven
 
     #region Helper Methods
 
+    /// <summary>
+    /// Gets the effective maximum search length, enforcing a hard limit of 2000 characters.
+    /// </summary>
+    private int GetEffectiveMaxSearchLength()
+    {
+        const int AbsoluteMaxLength = 2000;
+        return Math.Min(MaxSearchLength, AbsoluteMaxLength);
+    }
+
     private async Task FilterItemsAsync()
     {
         // Cancel any ongoing load operation

src/EasyAppDev.Blazor.AutoComplete/Filtering/ContainsFilter.cs

@@ -36,6 +36,13 @@ public IEnumerable<TItem> FilterMultiField(
             return items;
         }
 
+        // Security: Prevent performance degradation from excessively long search strings
+        const int MaxSearchLength = 2000;
+        if (searchText.Length > MaxSearchLength)
+        {
+            searchText = searchText.Substring(0, MaxSearchLength);
+        }
+
         var searchLower = searchText.ToLowerInvariant();
 
         return items.Where(item =>

src/EasyAppDev.Blazor.AutoComplete/Filtering/FilterEngineBase.cs

@@ -24,6 +24,13 @@ public IEnumerable<TItem> Filter(
             return items;
         }
 
+        // Security: Prevent performance degradation from excessively long search strings
+        const int MaxSearchLength = 2000;
+        if (searchText.Length > MaxSearchLength)
+        {
+            searchText = searchText.Substring(0, MaxSearchLength);
+        }
+
         // Common case conversion
         var searchLower = searchText.ToLowerInvariant();
 

src/EasyAppDev.Blazor.AutoComplete/Filtering/FuzzyFilter.cs

@@ -35,6 +35,13 @@ public IEnumerable<TItem> Filter(
             return items;
         }
 
+        // Security: Prevent memory exhaustion from excessively long search strings
+        const int MaxSearchLength = 2000;
+        if (searchText.Length > MaxSearchLength)
+        {
+            searchText = searchText.Substring(0, MaxSearchLength);
+        }
+
         var searchLower = searchText.ToLowerInvariant();
 
         return items
@@ -67,6 +74,13 @@ public IEnumerable<TItem> FilterMultiField(
             return items;
         }
 
+        // Security: Prevent memory exhaustion from excessively long search strings
+        const int MaxSearchLength = 2000;
+        if (searchText.Length > MaxSearchLength)
+        {
+            searchText = searchText.Substring(0, MaxSearchLength);
+        }
+
         var searchLower = searchText.ToLowerInvariant();
 
         return items
@@ -143,8 +157,14 @@ private static int LevenshteinDistance(string source, string target)
             return source.Length;
         }
 
-        var sourceLength = source.Length;
-        var targetLength = target.Length;
+        // Security: Prevent memory exhaustion from excessively long strings
+        // Matrix allocation = (sourceLength + 1) * (targetLength + 1) * sizeof(int)
+        // Limit each dimension to 1000 chars to cap memory at ~4MB per calculation
+        const int MaxLengthForLevenshtein = 1000;
+
+        var sourceLength = Math.Min(source.Length, MaxLengthForLevenshtein);
+        var targetLength = Math.Min(target.Length, MaxLengthForLevenshtein);
+
         var distance = new int[sourceLength + 1, targetLength + 1];
 
         for (var i = 0; i <= sourceLength; distance[i, 0] = i++) { }

src/EasyAppDev.Blazor.AutoComplete/Filtering/StartsWithFilter.cs

@@ -35,6 +35,13 @@ public IEnumerable<TItem> FilterMultiField(
             return items;
         }
 
+        // Security: Prevent performance degradation from excessively long search strings
+        const int MaxSearchLength = 2000;
+        if (searchText.Length > MaxSearchLength)
+        {
+            searchText = searchText.Substring(0, MaxSearchLength);
+        }
+
         var searchLower = searchText.ToLowerInvariant();
 
         return items.Where(item =>