New Case Study:See how Anthropic automated 95% of dependency reviews with Socket.Learn More
Socket
Sign inDemoInstall
Socket
Sign inDemoInstall

express-xss-sanitizer

Package Overview
Dependencies
Maintainers
1
Versions
16
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

express-xss-sanitizer - npm Package Compare versions

Comparing version

1.0.2
to
1.1.0

lib/sanitize.js

53

index.js
"use strict";
const sanitizeHtml = require("sanitize-html");
const sanitize = require("./lib/sanitize");
const initializeOptions = (options) => {
const sanitizerOptions = {};
if (Array.isArray(options.allowedTags) && options.allowedTags.length > 0) {
sanitizerOptions.allowedTags = options.allowedTags;
}
return {
allowedKeys:
(Array.isArray(options.allowedKeys) && options.allowedKeys) || [],
sanitizerOptions,
};
};
const sanitize = (options, data) => {
if (typeof data === "string") {
return sanitizeHtml(data, options.sanitizerOptions);
}
if (Array.isArray(data)) {
return data.map((item) => {
if (typeof item === "string") {
return sanitizeHtml(item, options.sanitizerOptions);
}
if (Array.isArray(item) || typeof item === "object") {
return sanitize(options, item);
}
return item;
});
}
if (typeof data === "object") {
Object.keys(data).forEach((key) => {
if (options.allowedKeys.includes(key)) {
return;
}
const item = data[key];
if (typeof item === "string") {
data[key] = sanitizeHtml(item, options.sanitizerOptions);
} else if (Array.isArray(item) || typeof item === "object") {
data[key] = sanitize(options, item);
}
});
}
return data;
};
function middleware(options = {}) {
options = initializeOptions(options);
return (req, res, next) => {
["body", "params", "headers", "query"].forEach((k) => {
if (req[k]) {
req[k] = sanitize(options, req[k]);
req[k] = sanitize(req[k], options);
}

@@ -60,2 +16,5 @@ });

module.exports = middleware;
module.exports = {
xss: middleware,
sanitize,
};

2

package.json
{
"name": "express-xss-sanitizer",
"version": "1.0.2",
"version": "1.1.0",
"description": "Express 4.x middleware which sanitizes user input data (in req.body, req.query, req.headers and req.params) to prevent Cross Site Scripting (XSS) attack.",

@@ -5,0 +5,0 @@ "main": "index.js",

26

README.md
# Express XSS Sanitizer
Express 4.x middleware which sanitizes user input data (in req.body, req.query, req.headers and req.params) to prevent Cross Site Scripting (XSS) attack.
![GitHub](https://img.shields.io/github/license/ahmedadelfahim/express-xss-sanitizer)
![GitHub](https://img.shields.io/github/license/ahmedadelfahim/express-xss-sanitizer) ![npm](https://img.shields.io/npm/v/express-xss-sanitizer) ![Snyk Vulnerabilities for npm package](https://img.shields.io/snyk/vulnerabilities/npm/express-xss-sanitizer) ![npm](https://img.shields.io/npm/dt/express-xss-sanitizer)
## Installation
```bash
$ npm install express-xss-sanitizer
```
npm install express-xss-sanitizer
```
## Usage

@@ -14,3 +14,3 @@ Add as a piece of express middleware, before defining your routes.

const bodyParser = require('body-parser');
const xss = require('express-xss-sanitizer');
const { xss } = require('express-xss-sanitizer');

@@ -43,3 +43,3 @@ const app = express();

const bodyParser = require('body-parser');
const xss = require('express-xss-sanitizer');
const { xss } = require('express-xss-sanitizer');

@@ -58,3 +58,19 @@ const app = express();

```
You also can sanitize your data (object, array, string,etc) on the fly.
```
const { sanitize } = require('express-xss-sanitizer');
// ...
data = sanitize(data)
// or
data = sanitize(data, {allowedKeys: ['name']})
// ...
```
## Tests
To run the test suite, first install the dependencies, then run `npm test`:
```bash
$ npm install
$ npm test
```
## Support
Feel free to open issues on [github](https://github.com/AhmedAdelFahim/express-xss-sanitizer.git).

705

test/test.js

@@ -11,3 +11,3 @@ /* eslint-disable prettier/prettier */

const { expect } = require("chai");
const sanitize = require("../index");
const { xss, sanitize } = require("../index");

@@ -19,3 +19,3 @@ describe("Express xss Sanitize", function () {

app.use(bodyParser.json());
app.use(sanitize());
app.use(xss());

@@ -268,2 +268,258 @@ app.post("/body", function (req, res) {

describe("Sanitize with custom options as middleware before all routes", function () {
const app = express();
const options = {
allowedKeys: ['c'],
};
app.use(bodyParser.urlencoded({ extended: true }));
app.use(bodyParser.json());
app.use(xss(options));
app.post("/body", function (req, res) {
res.status(200).json({
body: req.body,
});
});
app.post("/headers", function (req, res) {
res.status(200).json({
headers: req.headers,
});
});
app.get("/query", function (req, res) {
res.status(200).json({
query: req.query,
});
});
describe("Sanitize simple object", function () {
it("should sanitize clean body.", function (done) {
request(app)
.post("/body")
.send({
y: 4,
z: false,
w: "bla bla",
a: "<p>Test</p>",
})
.expect(
200,
{
body: {
y: 4,
z: false,
w: "bla bla",
a: "<p>Test</p>",
},
},
done,
);
});
it("should sanitize clean headers.", function (done) {
request(app)
.post("/headers")
.set({
y: "4",
z: "false",
w: "bla bla",
a: "<p>Test</p>",
})
.expect(200)
.expect(function (res) {
expect(res.body.headers).to.include({
y: "4",
z: "false",
w: "bla bla",
a: "<p>Test</p>",
});
})
.end(done);
});
it("should sanitize clean query.", function (done) {
request(app)
.get("/query?y=4&z=false&w=bla bla&a=<p>Test</p>")
.expect(
200,
{
query: {
y: "4",
z: "false",
w: "bla bla",
a: "<p>Test</p>",
},
},
done,
);
});
it("should sanitize dirty body.", function (done) {
request(app)
.post("/body")
.send({
a: "<script>Test</script>",
b: '<p onclick="return;">Test</p>',
c: '<img src="/"/>',
})
.expect(
200,
{
body: {
a: "",
b: "<p>Test</p>",
c: '<img src="/"/>',
},
},
done,
);
});
it("should sanitize dirty query.", function (done) {
request(app)
.get(
'/query?a=<script>Test</script>&b=<p onclick="return;">Test</p>&c=<img src="/"/>',
)
.expect(
200,
{
query: {
a: "",
b: "<p>Test</p>",
c: '<img src="/"/>',
},
},
done,
);
});
it("should sanitize dirty headers.", function (done) {
request(app)
.post("/headers")
.set({
a: "<script>Test</script>",
b: '<p onclick="return;">Test</p>',
c: '<img src="/"/>',
})
.expect(200)
.expect(function (res) {
expect(res.body.headers).to.include({
a: "",
b: "<p>Test</p>",
c: '<img src="/"/>',
});
})
.end(done);
});
});
describe("Sanitize complex object", function () {
it("should sanitize clean body.", function (done) {
request(app)
.post("/body")
.send({
y: 4,
z: false,
w: "bla bla",
a: "<p>Test</p>",
arr: [
"<h1>H1 Test</h1>",
"bla bla",
{
i: ["<h3>H3 Test</h3>", "bla bla", false, 5],
j: '<a href="/">Link</a>',
},
],
obj: {
e: "Test1",
r: {
a: "<h6>H6 Test</h6>",
},
},
})
.expect(
200,
{
body: {
y: 4,
z: false,
w: "bla bla",
a: "<p>Test</p>",
arr: [
"<h1>H1 Test</h1>",
"bla bla",
{
i: ["<h3>H3 Test</h3>", "bla bla", false, 5],
j: '<a href="/">Link</a>',
},
],
obj: {
e: "Test1",
r: {
a: "<h6>H6 Test</h6>",
},
},
},
},
done,
);
});
it("should sanitize dirty body.", function (done) {
request(app)
.post("/body")
.send({
a: "<script>Test</script>",
b: '<p onclick="return;">Test</p>',
c: '<img src="/"/>',
arr: [
"<h1 onclick='return false;'>H1 Test</h1>",
"bla bla",
{
i: [
"<h3 onclick='function x(e) {console.log(e); return;}'>H3 Test</h3>",
"bla bla",
false,
5,
],
j: '<a href="/" onclick="return 0;">Link</a>',
},
],
obj: {
e: '<script>while (true){alert("Test To OO")}</script>',
r: {
a: "<h6>H6 Test</h6>",
},
},
})
.expect(
200,
{
body: {
a: "",
b: "<p>Test</p>",
c: '<img src="/"/>',
arr: [
"<h1>H1 Test</h1>",
"bla bla",
{
i: ["<h3>H3 Test</h3>", "bla bla", false, 5],
j: '<a href="/">Link</a>',
},
],
obj: {
e: "",
r: {
a: "<h6>H6 Test</h6>",
},
},
},
},
done,
);
});
});
});
describe("Sanitize with default settings as middleware before each route", function () {

@@ -274,3 +530,3 @@ const app = express();

app.post("/body", sanitize(), function (req, res) {
app.post("/body", xss(), function (req, res) {
res.status(200).json({

@@ -281,3 +537,3 @@ body: req.body,

app.post("/headers", sanitize(), function (req, res) {
app.post("/headers", xss(), function (req, res) {
res.status(200).json({

@@ -521,2 +777,443 @@ headers: req.headers,

});
describe("Sanitize with custom options as middleware before each route", function () {
const app = express();
app.use(bodyParser.urlencoded({ extended: true }));
app.use(bodyParser.json());
app.post("/body", xss({ allowedKeys: ['c'] }), function (req, res) {
res.status(200).json({
body: req.body,
});
});
app.post("/headers", xss(), function (req, res) {
res.status(200).json({
headers: req.headers,
});
});
app.get("/query", function (req, res) {
res.status(200).json({
query: req.query,
});
});
describe("Sanitize simple object", function () {
it("should sanitize clean body.", function (done) {
request(app)
.post("/body")
.send({
y: 4,
z: false,
w: "bla bla",
a: "<p>Test</p>",
})
.expect(
200,
{
body: {
y: 4,
z: false,
w: "bla bla",
a: "<p>Test</p>",
},
},
done,
);
});
it("should sanitize clean headers.", function (done) {
request(app)
.post("/headers")
.set({
y: "4",
z: "false",
w: "bla bla",
a: "<p>Test</p>",
})
.expect(200)
.expect(function (res) {
expect(res.body.headers).to.include({
y: "4",
z: "false",
w: "bla bla",
a: "<p>Test</p>",
});
})
.end(done);
});
it("should sanitize clean query.", function (done) {
request(app)
.get("/query?y=4&z=false&w=bla bla&a=<p>Test</p>")
.expect(
200,
{
query: {
y: "4",
z: "false",
w: "bla bla",
a: "<p>Test</p>",
},
},
done,
);
});
it("should sanitize dirty body.", function (done) {
request(app)
.post("/body")
.send({
a: "<script>Test</script>",
b: '<p onclick="return;">Test</p>',
c: '<img src="/"/>',
})
.expect(
200,
{
body: {
a: "",
b: "<p>Test</p>",
c: '<img src="/"/>',
},
},
done,
);
});
it("should not sanitize dirty query.", function (done) {
request(app)
.get(
'/query?a=<script>Test</script>&b=<p onclick="return;">Test</p>&c=<img src="/"/>',
)
.expect(
200,
{
query: {
a: "<script>Test</script>",
b: '<p onclick="return;">Test</p>',
c: '<img src="/"/>',
},
},
done,
);
});
it("should sanitize dirty headers.", function (done) {
request(app)
.post("/headers")
.set({
a: "<script>Test</script>",
b: '<p onclick="return;">Test</p>',
c: '<img src="/"/>',
})
.expect(200)
.expect(function (res) {
expect(res.body.headers).to.include({
a: "",
b: "<p>Test</p>",
c: "",
});
})
.end(done);
});
});
describe("Sanitize complex object", function () {
it("should sanitize clean body.", function (done) {
request(app)
.post("/body")
.send({
y: 4,
z: false,
w: "bla bla",
a: "<p>Test</p>",
arr: [
"<h1>H1 Test</h1>",
"bla bla",
{
i: ["<h3>H3 Test</h3>", "bla bla", false, 5],
j: '<a href="/">Link</a>',
c: '<img src="/"/>',
},
],
obj: {
e: "Test1",
r: {
a: "<h6>H6 Test</h6>",
},
},
})
.expect(
200,
{
body: {
y: 4,
z: false,
w: "bla bla",
a: "<p>Test</p>",
arr: [
"<h1>H1 Test</h1>",
"bla bla",
{
i: ["<h3>H3 Test</h3>", "bla bla", false, 5],
j: '<a href="/">Link</a>',
c: '<img src="/"/>',
},
],
obj: {
e: "Test1",
r: {
a: "<h6>H6 Test</h6>",
},
},
},
},
done,
);
});
it("should sanitize dirty body.", function (done) {
request(app)
.post("/body")
.send({
a: "<script>Test</script>",
b: '<p onclick="return;">Test</p>',
c: '<img src="/"/>',
arr: [
"<h1 onclick='return false;'>H1 Test</h1>",
"bla bla",
{
i: [
"<h3 onclick='function x(e) {console.log(e); return;}'>H3 Test</h3>",
"bla bla",
false,
5,
],
j: '<a href="/" onclick="return 0;">Link</a>',
},
],
obj: {
e: '<script>while (true){alert("Test To OO")}</script>',
r: {
a: "<h6>H6 Test</h6>",
},
},
})
.expect(
200,
{
body: {
a: "",
b: "<p>Test</p>",
c: '<img src="/"/>',
arr: [
"<h1>H1 Test</h1>",
"bla bla",
{
i: ["<h3>H3 Test</h3>", "bla bla", false, 5],
j: '<a href="/">Link</a>',
},
],
obj: {
e: "",
r: {
a: "<h6>H6 Test</h6>",
},
},
},
},
done,
);
});
});
});
describe("Sanitize data with default settings as function", function () {
describe("Sanitize simple object", function () {
it("should sanitize clean body.", function (done) {
expect(sanitize({
y: 4,
z: false,
w: "bla bla",
a: "<p>Test</p>",
})).to.eql({
y: 4,
z: false,
w: "bla bla",
a: "<p>Test</p>",
});
done();
});
it("should sanitize dirty body.", function (done) {
expect(sanitize({
a: "<script>Test</script>",
b: '<p onclick="return;">Test</p>',
c: '<img src="/"/>',
})).to.eql({
a: "",
b: "<p>Test</p>",
c: "",
});
done();
});
});
describe("Sanitize complex object", function () {
it("should sanitize clean body.", function (done) {
expect(sanitize({
y: 4,
z: false,
w: "bla bla",
a: "<p>Test</p>",
arr: [
"<h1>H1 Test</h1>",
"bla bla",
{
i: ["<h3>H3 Test</h3>", "bla bla", false, 5],
j: '<a href="/">Link</a>',
},
],
obj: {
e: "Test1",
r: {
a: "<h6>H6 Test</h6>",
},
},
})).to.eql({
y: 4,
z: false,
w: "bla bla",
a: "<p>Test</p>",
arr: [
"<h1>H1 Test</h1>",
"bla bla",
{
i: ["<h3>H3 Test</h3>", "bla bla", false, 5],
j: '<a href="/">Link</a>',
},
],
obj: {
e: "Test1",
r: {
a: "<h6>H6 Test</h6>",
},
},
});
done();
});
it("should sanitize dirty body.", function (done) {
expect(sanitize({
a: "<script>Test</script>",
b: '<p onclick="return;">Test</p>',
c: '<img src="/"/>',
arr: [
"<h1 onclick='return false;'>H1 Test</h1>",
"bla bla",
{
i: [
"<h3 onclick='function x(e) {console.log(e); return;}'>H3 Test</h3>",
"bla bla",
false,
5,
],
j: '<a href="/" onclick="return 0;">Link</a>',
},
],
obj: {
e: '<script>while (true){alert("Test To OO")}</script>',
r: {
a: "<h6>H6 Test</h6>",
},
},
})).to.eql({
a: "",
b: "<p>Test</p>",
c: "",
arr: [
"<h1>H1 Test</h1>",
"bla bla",
{
i: ["<h3>H3 Test</h3>", "bla bla", false, 5],
j: '<a href="/">Link</a>',
},
],
obj: {
e: "",
r: {
a: "<h6>H6 Test</h6>",
},
},
});
done();
});
});
});
describe("Sanitize data with custom options as function", function () {
describe("Sanitize simple object", function () {
it("should sanitize dirty body.", function (done) {
expect(sanitize({
a: "<script>Test</script>",
b: '<p onclick="return;">Test</p>',
c: '<img src="/"/>',
}, { allowedKeys: ['c'] })).to.eql({
a: "",
b: "<p>Test</p>",
c: '<img src="/"/>',
});
done();
});
});
describe("Sanitize complex object", function () {
it("should sanitize dirty body.", function (done) {
expect(sanitize({
a: "<script>Test</script>",
b: '<p onclick="return;">Test</p>',
c: '<img src="/"/>',
arr: [
"<h1 onclick='return false;'>H1 Test</h1>",
"bla bla",
{
i: [
"<h3 onclick='function x(e) {console.log(e); return;}'>H3 Test</h3>",
"bla bla",
false,
5,
],
j: '<a href="/" onclick="return 0;">Link</a>',
},
],
obj: {
e: '<script>while (true){alert("Test To OO")}</script>',
r: {
a: "<h6>H6 Test</h6>",
},
},
}, { allowedKeys: ['e'] })).to.eql({
a: "",
b: "<p>Test</p>",
c: "",
arr: [
"<h1>H1 Test</h1>",
"bla bla",
{
i: ["<h3>H3 Test</h3>", "bla bla", false, 5],
j: '<a href="/">Link</a>',
},
],
obj: {
e: '<script>while (true){alert("Test To OO")}</script>',
r: {
a: "<h6>H6 Test</h6>",
},
},
});
done();
});
});
});
});