express-sanitized-escaped
v1.1.1
Published
Express middleware for the sanitizer module using Caja's HTML Sanitizer and HTML escape using htmlencode. Forked from express-sanitize-escape as the original package is no longer maintained
Downloads
398
Maintainers
Readme
express-sanitized
Installation
npm install express-sanitize-escape
Usage
Place this directly after all express.use(bodyParser) middlewares and before any express middleware that accesses query or body parameters, e.g.:
var bodyParser = require('body-parser');
var express = require('express');
var expressSanitized = require('express-sanitize-escape');
app.use(bodyParser.urlencoded);
app.use(bodyParser.json);
app.use(expressSanitized.middleware()); // this line follows app.use(bodyParser.json) or the last body parser middleware
The above sanitizes req.body
and req.query
. In order to sanitize req.params
as well, pass in an express router or app to expressSanitized.sanitizeParams
,
along with the names of the params to sanitize, e.g.:
var express = require('express');
var expressSanitized = require('express-sanitize-escape');
var router = express.router();
expressSanitized.sanitizeParams(router, ['id','name']);
router.get('/:id', function(req, res, next)
{
// req.params.id is now sanitized.
...
});
router.get('/:name', function(req, res, next)
{
// req.params.name is now sanitized.
...
});
Output
The string
'<script>document.write('cookie monster')</script> download now'
will be sanitized to ' download now'.
and
< > ' " &
will be escaped to < > ' " &
Limitations
This is a basic implementation of Caja-HTML-Sanitizer with the specific purpose of mitigating against persistent XSS risks. And node-htmlencode to escape all html entities
Caveats
This module trusts the dependencies to provide basic persistent XSS risk mitigation. A user of this package should review all packages and make their own decision on security and fitness for purpose.
This module was inspired by express-sanitizer and express-sanitized. The difference here is: This middleware automatically sanitizes post and query values parameter. And automatically html escapes all strings.
Changelog
v1.0.0
- This is a breaking change.
- Change to use exports instead of module exports
- Middleware is now
exports.middleware so app.use(expressSanitized())
is nowapp.use(expressSanitized.middleware())
- Added a function to decode the body
expressSanitized.htmlDecodeBody()
- Added tests for unicode characters
v0.6.3
- Added function to sanitize request params of a router
v0.6.1
- Added additional test for nested object and an array
- Added chai js for testing
v0.6.0
- Added htmlencoding
- Change filer to recurse through all values of the object and sanitize only values that are strings
- Updated docs to express 4.x and new bodyParser middleware
- Added License file
v0.5.1
- Initial release
Contributors
- Patrick Hogan [email protected] - Wrap the sanitizer in an npm package
- Mark Andrews [email protected]* - Wrote the initial express-sanitizer. I forked his library.
- Callinize
License
Copyright (c) 2016 Finger Food Studios [email protected], MIT License