Security News
The Dark Side of Open Source
At Node Congress, Socket CEO Feross Aboukhadijeh uncovers the darker aspects of open source, where applications that rely heavily on third-party dependencies can be exploited in supply chain attacks.
express-caja-sanitizer
Advanced tools
Readme
An express middleware inspired from express-sanitizer but additionally sanitizes URL params. It also gives an option to provide a preprocessor function to decide whether a (key, value) pair should be sanitized or not.
npm install express-caja-sanitizer
Needs to be called after express.bodyParser() and before anything that requires the sanitized input, e.g.:
var express = require('express');
var bodyParser = require('body-parser');
var cajaSanitizer = require('express-caja-sanitizer');
var app = express();
app.use(bodyParser());
app.use(cajaSanitizer());
This module by default sanitizes the request URL params (req.params
), apart from request body and query string params, e.g.:
http://www.myapp.com/rest/user/<script>console.log("hello")</script>bob/details
will be sanitized as
http://www.myapp.com/rest/user/bob/details
shouldSanitize
When shouldSanitize
function is provided as an option, the module will sanitize only the (key, value) pairs for which the function returns true
.
For example, if we don't want to sanitize XML values then the preprocesser function can be
var shouldSanitize = function(key, value) {
return !value.startsWith('<?xml version="1.0"')
}
##Limitations This is a basic implementation of Caja-HTML-Sanitizer with the specific purpose of mitigating against persistent XSS risks.
##Caveats This module trusts the dependencies to provide basic persistent XSS risk mitigation. A user of this package should review all packages and make their own decision on security and fitness for purpose.
FAQs
An express middleware inspired from express-sanitizer but additionally sanitizes URL params. It also gives an option to provide a preprocessor function to decide whether a (key, value) pair should be sanitized or not.
The npm package express-caja-sanitizer receives a total of 354 weekly downloads. As such, express-caja-sanitizer popularity was classified as not popular.
We found that express-caja-sanitizer demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
At Node Congress, Socket CEO Feross Aboukhadijeh uncovers the darker aspects of open source, where applications that rely heavily on third-party dependencies can be exploited in supply chain attacks.
Research
Security News
The Socket Research team found this npm package includes code for collecting sensitive developer information, including your operating system username, Git username, and Git email.
Security News
OpenJS is warning of social engineering takeovers targeting open source projects after receiving a credible attempt on the foundation.