An express.js middleware for node-validator
Switch branches/tags
Nothing to show
Clone or download
Latest commit b6c6a78 May 22, 2018
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
lib Add function name for new relic monitoring Feb 7, 2017
.gitignore addition to ignore files Feb 9, 2014
.npmignore addition to ignore files Feb 9, 2014
.travis.yml updated .travis.yml Feb 9, 2014
README.md Update README.md May 22, 2018
index.js initial checkin Feb 9, 2014
package.json 1.0.4 Apr 11, 2018

README.md

npm npm Build Status npm dependencies

express-sanitizer

An express middleware for Caja-HTML-Sanitizer, which wraps Google Caja sanitizer.

A useful complement to the express-validator -- to fill a gap now that XSS sanitization support has been removed from that module's parent node-validator.

Installation

Scaffold an application using express-generator

Then, install this library:

npm install --save express-sanitizer

Usage

Edit app.js

Import the module with this declaration at the top of the file:

var expressSanitizer = require('express-sanitizer');

Mount the middleware below the bodyParser() instantiations and above mounting of your routes

app.use(bodyParser.json());
app.use(bodyParser.urlencoded({ extended: false }));

// Mount express-sanitizer here
app.use(expressSanitizer()); // this line follows bodyParser() instantiations

app.use('/', index);
app.use('/users', users);

Edit routes/index.js and create a new route:

router.post('/', function(req, res, next) {
  // replace an HTTP posted body property with the sanitized string
  req.body.sanitized = req.sanitize(req.body.propertyToSanitize);
  // send the response
  res.send('Your value was sanitized to: ' + req.body.sanitized);
});

Use a client such as Postman to post a x-www-form-encoded body value, with key named propertyToSanitize, to http://localhost:3000

Output

The string

'<script>hello</script> world'

will be sanitized to ' world'.

Limitations

This is a basic implementation of Caja-HTML-Sanitizer with the specific purpose of mitigating against persistent XSS risks (note the borderline abandonware comments in that repo).

Caveats

This module trusts the dependencies to provide basic persistent XSS risk mitigation. A user of this package should review all packages and make their own decision on security and fitness for purpose.

Changelog

v1.0.4

  • Merged PR #3 from Brian M. Jemilo II

v1.0.3

  • Updated README to base example on an express-generator scaffolded application

v1.0.2

  • Updated sanitizer dependency to 0.1.3
  • Merged PR #4 from @ScottRamsden

v1.0.1

  • Updated sanitizer dependency to 0.1.2

v1.0.0

  • Update to v1

v0.1.1

  • Merged PR removing unused dependency

v0.1.0

  • Initial release

Contributors

License

Copyright (c) 2018 Mark Andrews 20metresbelow@gmail.com, MIT License