A super-simple no-dependency defense against query selector injection attacks: http://blog.websecurify.com/2014/08/hacking-nodejs-and-mongodb.html
JavaScript
Permalink
Failed to load latest commit information.
.gitignore Initial commit Aug 25, 2014
LICENSE Initial commit Aug 25, 2014
README.md Create README.md Aug 25, 2014
index.js Initial commit Aug 25, 2014
package.json Add acquit for docs generation Nov 29, 2014
test.js Initial commit Aug 25, 2014

README.md

mongo-sanitize

For the passionately lazy, a standalone module that sanitizes inputs against query selector injection attacks:

var sanitize = require('mongo-sanitize');

// The sanitize function will strip out any keys that start with '$' in the input,
// so you can pass it to MongoDB without worrying about malicious users overwriting
// query selectors.
var clean = sanitize(req.params.username);

Users.findOne({ name: clean }, function(err, doc) {
  // ...
});