express-safe-json
v0.2.0
Published
Prevent HTML tags from rendering in JSON responses.
Downloads
15
Readme
express-safe-json
Prevent HTML tags from rendering in JSON responses.
Why?
Even when the response is sent with Content-Type: application/json
, some
browsers attempts to do MIME-type sniffing - meaning that even if the response
is specified as application/json
, the browser might still render it as HTML
if it appears like valid HTML - leading to an XSS vulnerability.
Adding the X-Content-Type-Options: nosniff
header disables this behaviour and
can help mitigate this - but its not supported by all browsers.
This library modifies express's res.send()
method to replace the <
character
in JSON reponses with \u003c
.
The modified JSON should still be parsed the same on all JSON parsers, but will
prevent browsers from thinking that it might be an HTML response.
Install
npm install express-safe-json
Use
var express = require('express')
require('express-safe-json')(express)
// or, to have express-safe-json require() express on its own, simply:
require('express-safe-json')()
// Then, you can just use res.send(<object>) and res.json(<object>)
// as you normally do.
License
MIT