disinfect
v2.0.0
Published
Request query, payload, and params sanitization
Downloads
1,588
Maintainers
Readme
disinfect
Hapi plugin to apply Google's Caja HTML Sanitizer on route query, payload, and params.
- Capable for custom sanitization and per-route configuration.
- Can also be used for input formatting using the custom sanitizer option.
- Can be disabled per route.
Usage
const registerPlugins = async (server) => Promise.all([
server.register({
plugin: require('disinfect'),
options: {
disinfectQuery: true,
disinfectParams: true,
disinfectPayload: true
}
})
]);
registerPlugins(server)
.then(() => {
// ...
})
.catch((err) => {
// ...
})
Glue manifest
register: {
plugins: [
{
plugin: require('disinfect'),
options: {
disinfectQuery: true,
disinfectParams: true,
disinfectPayload: true
}
}
]
}
Options
- deleteEmpty - remove empty query or payload keys.
- deleteWhitespace - remove whitespace query, payload, or params keys.
- disinfectQuery - sanitize query strings.
- disinfectParams - sanitize url params.
- disinfectPayload - sanitize payload.
- genericSanitizer - custom synchronous function to do the sanitization of query, payload, and params.
- querySanitizer - custom synchronous function to do the sanitization of query strings.
- paramsSanitizer - custom synchronous function to do the sanitization of url params.
- payloadSanitizer - custom synchronous function to do the sanitization of payload.
deleteEmpty
and deleteWhitespace
defaults to false
.
disinfectQuery
, disinfectParams
, and disinfectPayload
defaults to false
. If set to true, object will be passed to caja
first before custom sanitizers.
dirtyObject ->`Caja` sanitizer -> `genericSanitizer` -> `query-`, `params-`, or `payload-` sanitizer -> deleteWhitespace -> deleteEmpty -> cleanObject.
genericSanitizer
, querySanitizer
, paramsSanitizer
, and payloadSanitizer
should be in the following format:
const customSanitizer = (dirtyObj) => {
// ...
return cleanObj;
}
All options can be passed on a per-route basis. Route options overrides server options.
// example
{
path: '/',
method: 'get',
handler: (request, reply) => {
...
},
options: {
plugins: {
disinfect: {
disinfectQuery: true,
disinfectParams: false,
disinfectPayload: true
}
}
}
}
Disable on a route.
{
path: '/',
method: 'get',
handler: (request, reply) => {
...
},
options: {
plugins: {
disinfect: false
}
}
}
Contributing
- Include 100% test coverage
- Follow the Hapi coding conventions
- Submit an issue first for significant changes.
Credits
- hapi-sanitize-payload - Hapi plugin to sanitize the request payload
- Caja-HTML-Sanitizer - Bundles Google Caja's HTML Sanitizer within a npm installable node.js module