Security News
The Dark Side of Open Source
At Node Congress, Socket CEO Feross Aboukhadijeh uncovers the darker aspects of open source, where applications that rely heavily on third-party dependencies can be exploited in supply chain attacks.
express-autosanitizer
Advanced tools
Readme
Automatic sanitization of req body, params and query strings. uses caja. automatically does sanitization and escaping as middleware.
If this does make your life easier, please consider making a donation to my Patreon. 🤝
important note: do not use with large amounts of input, it might overflow. it goes through the fields recursively. in that case, use singular sanitization instead.
npm i -S express-autosanitizer
const expAutoSan = require('express-autosanitizer');
important note: if you intend to use it with app.use(), mount the middleware below the express.json()
(or bodyParser()
) instantiation
writes sanitized data to req.autosan (req.autosan.body, req.autosan.params, req.autosan.query)
app.use(express.json());
// Mount here
app.use(expAutoSan.all);
app.post('/', (req, res, next) => {
//req is automatically sanitized, as middleware is used for all routes
doYourStuff(req.autosan.body);
res.render("pagewithtrusteddata");
});
writes sanitized data to req, mutes req object so it might cause problems. p.s: this is to apply sanitization for lazy people like me.
app.use(express.json());
// Mount here
app.use(expAutoSan.allUnsafe);
//no extra middleware needed
app.post('/', (req, res, next) => {
//req is automatically sanitized, as middleware is used for all routes
doYourStuff(req.body);
res.render("pagewithtrusteddata");
});
writes sanitized data to req.autosan (req.autosan.body, req.autosan.params, req.autosan.query)
//use the middleware
app.post('/', expAutoSan.route, (req, res, next) => {
//req is automatically sanitized, as middleware is used for body, query and params of this route
//req is not mutated, results are stored in req.autosan.body, req.autosan.params, req.autosan.query
doYourStuff(req.autosan.body);
.
.
.
res.render("pagewithtrusteddata");
});
writes sanitized data to req (req.body, req.params, req.query)
//use different middleware
app.post('/', expAutoSan.routeUnsafe, (req, res, next) => {
//req is automatically sanitized, as middleware is used for body, query and params of this route
//req IS mutated, results are stored in req.body, req.params, req.query
doYourStuff(req.body);
.
.
.
res.render("pagewithtrusteddata");
});
app.get('/', (req, res, next) => {
//you can pass array/object/string or whatever you want, only string parts will be sanitized
//again, do not pass highly-nested structures, this middleware works recursively
let mySanitizedData = expAutoSan.sanitizeIt(myDirtyData);
doYourStuff(mySanitizedData);
.
.
.
res.render("pagewithtrusteddata");
});
When you use it on a field or a route, it will remove all script tags, and escape html characters. this improves security in your app.
This module uses "sanitizer" module, the sanitization logic is done in that package, review the package yourself. This package goes over the data recursively, it is your duty to be wise enough not to use data that will crash it, you should be fine for most cases (forms, ajax apps, api etc).
Copyright (c) 2019 Antonio Ramirez sepehralizade@live.com, MIT License
FAQs
automatic sanitization of req body fields, params and query. uses caja. automatically does sanitization and escaping as middleware.
The npm package express-autosanitizer receives a total of 284 weekly downloads. As such, express-autosanitizer popularity was classified as not popular.
We found that express-autosanitizer demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
At Node Congress, Socket CEO Feross Aboukhadijeh uncovers the darker aspects of open source, where applications that rely heavily on third-party dependencies can be exploited in supply chain attacks.
Research
Security News
The Socket Research team found this npm package includes code for collecting sensitive developer information, including your operating system username, Git username, and Git email.
Security News
OpenJS is warning of social engineering takeovers targeting open source projects after receiving a credible attempt on the foundation.