Support for known array parameters #1
Comments
|
Hi @avaly good point! I was also thinking about a parameter whitelist. However, I am not sure how the whitelist should look like. Of course, it would contain the names of the parameters HPP will not touch. But that might not be enough: Probably for some routes a specific parameter should be whitelisted but for other routes the parameter with the same name should not be whitelisted. For you example above the following would make sense: app.use(hpp({
whitelist: [ 'filters' ]
}));For configuring different routes differently we could extend the app.use(hpp({
whitelist: [
{ routes: [ '/search' ], parameters: [ 'filters' ] },
{ routes: [ '/find' ], parameters: [ 'categories' ] }
]
}));Or instead we could use native filtering: app.use(hpp()); // To secure all other routes.
app.use('/search', hpp({ whitelist: [ 'filters' ] }));
app.use('/find', hpp({ whitelist: [ 'categories' ] }));I prefer the last solution. However, maybe the routes are not the only distinguishing aspects:
Thoughts? |
|
I agree that the whitelist should be route-specific. I prefer your last example there with the native route filtering.
|
|
Thanks, makes sense. I just realized the distinction between query and body could be made like this: app.use('/search', { whitelist: [ 'filters' ], checkBody: false });
app.use('/search', { checkQuery: false });This way OK, I will implement the whitelist as discussed shortly. |
|
I just published version 0.1.2 to npm. |
This module assumes that any query parameter is not supposed to be an array. However some applications might actually require to use an array parameter. This type of parameter is invalidated by this module while cleaning other potentially invalid parameters.
Example:
I would like a way to notify the plugin to clean only
queryor to excludefiltersfrom the cleaning.The text was updated successfully, but these errors were encountered: