express-caja-sanitizer
v1.0.1
Published
An express middleware inspired from express-sanitizer but additionally sanitizes URL params. It also gives an option to provide a preprocessor function to decide whether a (key, value) pair should be sanitized or not.
Downloads
7,905
Maintainers
Readme
express-caja-sanitizer
An express middleware inspired from express-sanitizer but additionally sanitizes URL params. It also gives an option to provide a preprocessor function to decide whether a (key, value) pair should be sanitized or not.
Installation
npm install express-caja-sanitizer
Usage
Needs to be called after express.bodyParser() and before anything that requires the sanitized input, e.g.:
var express = require('express');
var bodyParser = require('body-parser');
var cajaSanitizer = require('express-caja-sanitizer');
var app = express();
app.use(bodyParser());
app.use(cajaSanitizer());
URL Params
This module by default sanitizes the request URL params (req.params
), apart from request body and query string params, e.g.:
http://www.myapp.com/rest/user/<script>console.log("hello")</script>bob/details
will be sanitized as
http://www.myapp.com/rest/user/bob/details
Options
shouldSanitize
When shouldSanitize
function is provided as an option, the module will sanitize only the (key, value) pairs for which the function returns true
.
For example, if we don't want to sanitize XML values then the preprocesser function can be
var shouldSanitize = function(key, value) {
return !value.startsWith('<?xml version="1.0"')
}
##Limitations This is a basic implementation of Caja-HTML-Sanitizer with the specific purpose of mitigating against persistent XSS risks.
##Caveats This module trusts the dependencies to provide basic persistent XSS risk mitigation. A user of this package should review all packages and make their own decision on security and fitness for purpose.