An express.js middleware for node-validator
JavaScript

README.md

express-sanitizer

Build Status

An express middleware for Caja-HTML-Sanitizer, which wraps Google Caja sanitizer.

A useful complement to the express-validator -- to fill a gap now that XSS sanitization support has been removed from that module's parent node-validator.

Installation

npm install express-sanitizer

Usage

Needs to be called after express.bodyParser() and before anything that requires the sanitized input, e.g.:

var express = require('express'),
    expressSanitizer = require('express-sanitizer');

app.use(express.bodyParser());
app.use(expressSanitizer([options])); // this line follows express.bodyParser()
app.post('/:urlparam', function(req, res) {
  //validation here

  // replace an HTTP posted body property with the sanitized string
  req.body.propertyToSanitize = req.sanitize(req.param('propertyToSanitize'));
});

Output

The string

'<script>hello</script> world'

will be sanitized to ' world'.

Limitations

This is a basic implementation of Caja-HTML-Sanitizer with the specific purpose of mitigating against persistent XSS risks.

Caveats

This module trusts the dependencies to provide basic persistent XSS risk mitigation. A user of this package should review all packages and make their own decision on security and fitness for purpose.

Changelog

v1.0.1

  • Updated sanitizer dependency to 0.1.2

v1.0.0

  • Update to v1

v0.1.1

  • Merged PR removing unused dependency

v0.1.0

  • Initial release

Contributors

License

Copyright (c) 2014 Mark Andrews 20metresbelow@gmail.com, MIT License