Socket
Socket
Sign inDemoInstall

express-xss-sanitizer

Package Overview
Dependencies
15
Maintainers
1
Versions
14
Alerts
File Explorer

Advanced tools

npm Scripts

Install Socket

Detect and block malicious and high-risk dependencies

Install

Comparing version 1.1.6 to 1.1.7

.prettierrc

6

index.js

@@ -1,8 +0,8 @@

"use strict";
'use strict';
const sanitize = require("./lib/sanitize");
const sanitize = require('./lib/sanitize');
function middleware(options = {}) {
return (req, res, next) => {
["body", "params", "headers", "query"].forEach((k) => {
['body', 'params', 'headers', 'query'].forEach((k) => {
if (req[k]) {

@@ -9,0 +9,0 @@ req[k] = sanitize(req[k], options);

37

lib/sanitize.js

@@ -1,9 +0,7 @@

"use strict";
'use strict';
const sanitizeHtml = require("sanitize-html");
const sanitizeHtml = require('sanitize-html');
function hasOwn(object, key) {
const keys = Reflect.ownKeys(object).filter(
(item) => typeof item !== "symbol"
);
const keys = Reflect.ownKeys(object).filter((item) => typeof item !== 'symbol');
return keys.includes(key);

@@ -14,15 +12,12 @@ }

const sanitizerOptions = {};
if (
hasOwn(options, "allowedTags") &&
Array.isArray(options.allowedTags) &&
options.allowedTags.length > 0
) {
if (hasOwn(options, 'allowedTags') && Array.isArray(options.allowedTags) && options.allowedTags.length > 0) {
sanitizerOptions.allowedTags = options.allowedTags;
}
if (hasOwn(options, 'allowedAttributes') && Object.keys(options.allowedAttributes).length > 0) {
sanitizerOptions.allowedAttributes = options.allowedAttributes;
}
return {
allowedKeys:
(hasOwn(options, "allowedKeys") &&
Array.isArray(options.allowedKeys) &&
options.allowedKeys) ||
[],
allowedKeys: (hasOwn(options, 'allowedKeys') && Array.isArray(options.allowedKeys) && options.allowedKeys) || [],
sanitizerOptions,

@@ -33,3 +28,3 @@ };

const sanitize = (options, data) => {
if (typeof data === "string") {
if (typeof data === 'string') {
return sanitizeHtml(data, options.sanitizerOptions);

@@ -39,6 +34,6 @@ }

return data.map((item) => {
if (typeof item === "string") {
if (typeof item === 'string') {
return sanitizeHtml(item, options.sanitizerOptions);
}
if (Array.isArray(item) || typeof item === "object") {
if (Array.isArray(item) || typeof item === 'object') {
return sanitize(options, item);

@@ -49,3 +44,3 @@ }

}
if (typeof data === "object" && data !== null) {
if (typeof data === 'object' && data !== null) {
Object.keys(data).forEach((key) => {

@@ -56,5 +51,5 @@ if (options.allowedKeys.includes(key)) {

const item = data[key];
if (typeof item === "string") {
if (typeof item === 'string') {
data[key] = sanitizeHtml(item, options.sanitizerOptions);
} else if (Array.isArray(item) || typeof item === "object") {
} else if (Array.isArray(item) || typeof item === 'object') {
data[key] = sanitize(options, item);

@@ -61,0 +56,0 @@ }

14

package.json
{
"name": "express-xss-sanitizer",
"version": "1.1.6",
"version": "1.1.7",
"description": "Express 4.x middleware which sanitizes user input data (in req.body, req.query, req.headers and req.params) to prevent Cross Site Scripting (XSS) attack.",
"main": "index.js",
"scripts": {
"test": "./node_modules/mocha/bin/mocha "
"test": "./node_modules/mocha/bin/_mocha",
"test:spec": "npx mocha --reporter spec",
"format": "prettier --config .prettierrc './**/*.js' --write",
"lint": "eslint . --ext .js",
"lint:fix": "eslint . --ext .js --fix",
"prepublishOnly": "npm run lint",
"preversion": "npm run lint && npm run test"
},

@@ -28,3 +34,3 @@ "repository": {

"dependencies": {
"sanitize-html": "~2.7.1"
"sanitize-html": "~2.11.0"
},

@@ -40,3 +46,3 @@ "devDependencies": {

"express": "^4.17.1",
"mocha": "^7.1.1",
"mocha": "^10.2.0",
"prettier": "^2.2.1",

@@ -43,0 +49,0 @@ "supertest": "^6.0.1"

7

README.md

@@ -22,6 +22,9 @@ # Express XSS Sanitizer

```
You can add options to specify allowed keys to be skipped at sanitization
You can add options to specify allowed keys or allowed attributes to be skipped at sanitization
```
const options = {
allowedKeys: ['name']
allowedKeys: ['name'],
allowedAttributes: {
input: ['value'],
},
}

@@ -28,0 +31,0 @@

887

test/test.js

@@ -5,12 +5,12 @@ /* eslint-disable prettier/prettier */

"use strict";
'use strict';
const request = require("supertest");
const express = require("express");
const bodyParser = require("body-parser");
const { expect } = require("chai");
const { xss, sanitize } = require("../index");
const request = require('supertest');
const express = require('express');
const bodyParser = require('body-parser');
const { expect } = require('chai');
const { xss, sanitize } = require('../index');
describe("Express xss Sanitize", function () {
describe("Sanitize with default settings as middleware before all routes", function () {
describe('Express xss Sanitize', function () {
describe('Sanitize with default settings as middleware before all routes', function () {
const app = express();

@@ -21,3 +21,3 @@ app.use(bodyParser.urlencoded({ extended: true }));

app.post("/body", function (req, res) {
app.post('/body', function (req, res) {
res.status(200).json({

@@ -28,3 +28,3 @@ body: req.body,

app.post("/headers", function (req, res) {
app.post('/headers', function (req, res) {
res.status(200).json({

@@ -35,3 +35,3 @@ headers: req.headers,

app.get("/query", function (req, res) {
app.get('/query', function (req, res) {
res.status(200).json({

@@ -41,11 +41,11 @@ query: req.query,

});
describe("Sanitize simple object", function () {
it("should sanitize clean body.", function (done) {
describe('Sanitize simple object', function () {
it('should sanitize clean body.', function (done) {
request(app)
.post("/body")
.post('/body')
.send({
y: 4,
z: false,
w: "bla bla",
a: "<p>Test</p>",
w: 'bla bla',
a: '<p>Test</p>',
})

@@ -58,4 +58,4 @@ .expect(

z: false,
w: "bla bla",
a: "<p>Test</p>",
w: 'bla bla',
a: '<p>Test</p>',
},

@@ -67,10 +67,10 @@ },

it("should sanitize clean headers.", function (done) {
it('should sanitize clean headers.', function (done) {
request(app)
.post("/headers")
.post('/headers')
.set({
y: "4",
z: "false",
w: "bla bla",
a: "<p>Test</p>",
y: '4',
z: 'false',
w: 'bla bla',
a: '<p>Test</p>',
})

@@ -80,6 +80,6 @@ .expect(200)

expect(res.body.headers).to.include({
y: "4",
z: "false",
w: "bla bla",
a: "<p>Test</p>",
y: '4',
z: 'false',
w: 'bla bla',
a: '<p>Test</p>',
});

@@ -90,5 +90,5 @@ })

it("should sanitize clean query.", function (done) {
it('should sanitize clean query.', function (done) {
request(app)
.get("/query?y=4&z=false&w=bla bla&a=<p>Test</p>")
.get('/query?y=4&z=false&w=bla bla&a=<p>Test</p>')
.expect(

@@ -98,6 +98,6 @@ 200,

query: {
y: "4",
z: "false",
w: "bla bla",
a: "<p>Test</p>",
y: '4',
z: 'false',
w: 'bla bla',
a: '<p>Test</p>',
},

@@ -109,7 +109,7 @@ },

it("should sanitize dirty body.", function (done) {
it('should sanitize dirty body.', function (done) {
request(app)
.post("/body")
.post('/body')
.send({
a: "<script>Test</script>",
a: '<script>Test</script>',
b: '<p onclick="return;">Test</p>',

@@ -122,5 +122,5 @@ c: '<img src="/"/>',

body: {
a: "",
b: "<p>Test</p>",
c: "",
a: '',
b: '<p>Test</p>',
c: '',
},

@@ -132,7 +132,5 @@ },

it("should sanitize dirty query.", function (done) {
it('should sanitize dirty query.', function (done) {
request(app)
.get(
'/query?a=<script>Test</script>&b=<p onclick="return;">Test</p>&c=<img src="/"/>',
)
.get('/query?a=<script>Test</script>&b=<p onclick="return;">Test</p>&c=<img src="/"/>')
.expect(

@@ -142,5 +140,5 @@ 200,

query: {
a: "",
b: "<p>Test</p>",
c: "",
a: '',
b: '<p>Test</p>',
c: '',
},

@@ -152,7 +150,7 @@ },

it("should sanitize dirty headers.", function (done) {
it('should sanitize dirty headers.', function (done) {
request(app)
.post("/headers")
.post('/headers')
.set({
a: "<script>Test</script>",
a: '<script>Test</script>',
b: '<p onclick="return;">Test</p>',

@@ -164,5 +162,5 @@ c: '<img src="/"/>',

expect(res.body.headers).to.include({
a: "",
b: "<p>Test</p>",
c: "",
a: '',
b: '<p>Test</p>',
c: '',
});

@@ -174,16 +172,16 @@ })

describe("Sanitize complex object", function () {
it("should sanitize clean body.", function (done) {
describe('Sanitize complex object', function () {
it('should sanitize clean body.', function (done) {
request(app)
.post("/body")
.post('/body')
.send({
y: 4,
z: false,
w: "bla bla",
a: "<p>Test</p>",
w: 'bla bla',
a: '<p>Test</p>',
arr: [
"<h1>H1 Test</h1>",
"bla bla",
'<h1>H1 Test</h1>',
'bla bla',
{
i: ["<h3>H3 Test</h3>", "bla bla", false, 5],
i: ['<h3>H3 Test</h3>', 'bla bla', false, 5],
j: '<a href="/">Link</a>',

@@ -193,5 +191,5 @@ },

obj: {
e: "Test1",
e: 'Test1',
r: {
a: "<h6>H6 Test</h6>",
a: '<h6>H6 Test</h6>',
},

@@ -206,9 +204,9 @@ },

z: false,
w: "bla bla",
a: "<p>Test</p>",
w: 'bla bla',
a: '<p>Test</p>',
arr: [
"<h1>H1 Test</h1>",
"bla bla",
'<h1>H1 Test</h1>',
'bla bla',
{
i: ["<h3>H3 Test</h3>", "bla bla", false, 5],
i: ['<h3>H3 Test</h3>', 'bla bla', false, 5],
j: '<a href="/">Link</a>',

@@ -218,5 +216,5 @@ },

obj: {
e: "Test1",
e: 'Test1',
r: {
a: "<h6>H6 Test</h6>",
a: '<h6>H6 Test</h6>',
},

@@ -230,7 +228,7 @@ },

it("should sanitize dirty body.", function (done) {
it('should sanitize dirty body.', function (done) {
request(app)
.post("/body")
.post('/body')
.send({
a: "<script>Test</script>",
a: '<script>Test</script>',
b: '<p onclick="return;">Test</p>',

@@ -240,10 +238,5 @@ c: '<img src="/"/>',

"<h1 onclick='return false;'>H1 Test</h1>",
"bla bla",
'bla bla',
{
i: [
"<h3 onclick='function x(e) {console.log(e); return;}'>H3 Test</h3>",
"bla bla",
false,
5,
],
i: ["<h3 onclick='function x(e) {console.log(e); return;}'>H3 Test</h3>", 'bla bla', false, 5],
j: '<a href="/" onclick="return 0;">Link</a>',

@@ -255,3 +248,3 @@ },

r: {
a: "<h6>H6 Test</h6>",
a: '<h6>H6 Test</h6>',
},

@@ -264,10 +257,10 @@ },

body: {
a: "",
b: "<p>Test</p>",
c: "",
a: '',
b: '<p>Test</p>',
c: '',
arr: [
"<h1>H1 Test</h1>",
"bla bla",
'<h1>H1 Test</h1>',
'bla bla',
{
i: ["<h3>H3 Test</h3>", "bla bla", false, 5],
i: ['<h3>H3 Test</h3>', 'bla bla', false, 5],
j: '<a href="/">Link</a>',

@@ -277,5 +270,5 @@ },

obj: {
e: "",
e: '',
r: {
a: "<h6>H6 Test</h6>",
a: '<h6>H6 Test</h6>',
},

@@ -291,6 +284,6 @@ },

describe("Sanitize with custom options as middleware before all routes", function () {
describe('Sanitize with custom options as middleware before all routes', function () {
const app = express();
const options = {
allowedKeys: ["c"],
allowedKeys: ['c'],
};

@@ -301,3 +294,3 @@ app.use(bodyParser.urlencoded({ extended: true }));

app.post("/body", function (req, res) {
app.post('/body', function (req, res) {
res.status(200).json({

@@ -308,3 +301,3 @@ body: req.body,

app.post("/headers", function (req, res) {
app.post('/headers', function (req, res) {
res.status(200).json({

@@ -315,3 +308,3 @@ headers: req.headers,

app.get("/query", function (req, res) {
app.get('/query', function (req, res) {
res.status(200).json({

@@ -321,11 +314,11 @@ query: req.query,

});
describe("Sanitize simple object", function () {
it("should sanitize clean body.", function (done) {
describe('Sanitize simple object', function () {
it('should sanitize clean body.', function (done) {
request(app)
.post("/body")
.post('/body')
.send({
y: 4,
z: false,
w: "bla bla",
a: "<p>Test</p>",
w: 'bla bla',
a: '<p>Test</p>',
})

@@ -338,4 +331,4 @@ .expect(

z: false,
w: "bla bla",
a: "<p>Test</p>",
w: 'bla bla',
a: '<p>Test</p>',
},

@@ -347,10 +340,10 @@ },

it("should sanitize clean headers.", function (done) {
it('should sanitize clean headers.', function (done) {
request(app)
.post("/headers")
.post('/headers')
.set({
y: "4",
z: "false",
w: "bla bla",
a: "<p>Test</p>",
y: '4',
z: 'false',
w: 'bla bla',
a: '<p>Test</p>',
})

@@ -360,6 +353,6 @@ .expect(200)

expect(res.body.headers).to.include({
y: "4",
z: "false",
w: "bla bla",
a: "<p>Test</p>",
y: '4',
z: 'false',
w: 'bla bla',
a: '<p>Test</p>',
});

@@ -370,5 +363,5 @@ })

it("should sanitize clean query.", function (done) {
it('should sanitize clean query.', function (done) {
request(app)
.get("/query?y=4&z=false&w=bla bla&a=<p>Test</p>")
.get('/query?y=4&z=false&w=bla bla&a=<p>Test</p>')
.expect(

@@ -378,6 +371,6 @@ 200,

query: {
y: "4",
z: "false",
w: "bla bla",
a: "<p>Test</p>",
y: '4',
z: 'false',
w: 'bla bla',
a: '<p>Test</p>',
},

@@ -389,7 +382,7 @@ },

it("should sanitize dirty body.", function (done) {
it('should sanitize dirty body.', function (done) {
request(app)
.post("/body")
.post('/body')
.send({
a: "<script>Test</script>",
a: '<script>Test</script>',
b: '<p onclick="return;">Test</p>',

@@ -402,4 +395,4 @@ c: '<img src="/"/>',

body: {
a: "",
b: "<p>Test</p>",
a: '',
b: '<p>Test</p>',
c: '<img src="/"/>',

@@ -412,7 +405,5 @@ },

it("should sanitize dirty query.", function (done) {
it('should sanitize dirty query.', function (done) {
request(app)
.get(
'/query?a=<script>Test</script>&b=<p onclick="return;">Test</p>&c=<img src="/"/>',
)
.get('/query?a=<script>Test</script>&b=<p onclick="return;">Test</p>&c=<img src="/"/>')
.expect(

@@ -422,4 +413,4 @@ 200,

query: {
a: "",
b: "<p>Test</p>",
a: '',
b: '<p>Test</p>',
c: '<img src="/"/>',

@@ -432,7 +423,7 @@ },

it("should sanitize dirty headers.", function (done) {
it('should sanitize dirty headers.', function (done) {
request(app)
.post("/headers")
.post('/headers')
.set({
a: "<script>Test</script>",
a: '<script>Test</script>',
b: '<p onclick="return;">Test</p>',

@@ -444,4 +435,4 @@ c: '<img src="/"/>',

expect(res.body.headers).to.include({
a: "",
b: "<p>Test</p>",
a: '',
b: '<p>Test</p>',
c: '<img src="/"/>',

@@ -454,16 +445,16 @@ });

describe("Sanitize complex object", function () {
it("should sanitize clean body.", function (done) {
describe('Sanitize complex object', function () {
it('should sanitize clean body.', function (done) {
request(app)
.post("/body")
.post('/body')
.send({
y: 4,
z: false,
w: "bla bla",
a: "<p>Test</p>",
w: 'bla bla',
a: '<p>Test</p>',
arr: [
"<h1>H1 Test</h1>",
"bla bla",
'<h1>H1 Test</h1>',
'bla bla',
{
i: ["<h3>H3 Test</h3>", "bla bla", false, 5],
i: ['<h3>H3 Test</h3>', 'bla bla', false, 5],
j: '<a href="/">Link</a>',

@@ -473,5 +464,5 @@ },

obj: {
e: "Test1",
e: 'Test1',
r: {
a: "<h6>H6 Test</h6>",
a: '<h6>H6 Test</h6>',
},

@@ -486,9 +477,9 @@ },

z: false,
w: "bla bla",
a: "<p>Test</p>",
w: 'bla bla',
a: '<p>Test</p>',
arr: [
"<h1>H1 Test</h1>",
"bla bla",
'<h1>H1 Test</h1>',
'bla bla',
{
i: ["<h3>H3 Test</h3>", "bla bla", false, 5],
i: ['<h3>H3 Test</h3>', 'bla bla', false, 5],
j: '<a href="/">Link</a>',

@@ -498,5 +489,5 @@ },

obj: {
e: "Test1",
e: 'Test1',
r: {
a: "<h6>H6 Test</h6>",
a: '<h6>H6 Test</h6>',
},

@@ -510,7 +501,7 @@ },

it("should sanitize dirty body.", function (done) {
it('should sanitize dirty body.', function (done) {
request(app)
.post("/body")
.post('/body')
.send({
a: "<script>Test</script>",
a: '<script>Test</script>',
b: '<p onclick="return;">Test</p>',

@@ -520,10 +511,5 @@ c: '<img src="/"/>',

"<h1 onclick='return false;'>H1 Test</h1>",
"bla bla",
'bla bla',
{
i: [
"<h3 onclick='function x(e) {console.log(e); return;}'>H3 Test</h3>",
"bla bla",
false,
5,
],
i: ["<h3 onclick='function x(e) {console.log(e); return;}'>H3 Test</h3>", 'bla bla', false, 5],
j: '<a href="/" onclick="return 0;">Link</a>',

@@ -535,3 +521,3 @@ },

r: {
a: "<h6>H6 Test</h6>",
a: '<h6>H6 Test</h6>',
},

@@ -544,10 +530,10 @@ },

body: {
a: "",
b: "<p>Test</p>",
a: '',
b: '<p>Test</p>',
c: '<img src="/"/>',
arr: [
"<h1>H1 Test</h1>",
"bla bla",
'<h1>H1 Test</h1>',
'bla bla',
{
i: ["<h3>H3 Test</h3>", "bla bla", false, 5],
i: ['<h3>H3 Test</h3>', 'bla bla', false, 5],
j: '<a href="/">Link</a>',

@@ -557,5 +543,5 @@ },

obj: {
e: "",
e: '',
r: {
a: "<h6>H6 Test</h6>",
a: '<h6>H6 Test</h6>',
},

@@ -571,3 +557,3 @@ },

describe("Sanitize with default settings as middleware before each route", function () {
describe('Sanitize with default settings as middleware before each route', function () {
const app = express();

@@ -577,3 +563,3 @@ app.use(bodyParser.urlencoded({ extended: true }));

app.post("/body", xss(), function (req, res) {
app.post('/body', xss(), function (req, res) {
res.status(200).json({

@@ -584,3 +570,3 @@ body: req.body,

app.post("/headers", xss(), function (req, res) {
app.post('/headers', xss(), function (req, res) {
res.status(200).json({

@@ -591,3 +577,3 @@ headers: req.headers,

app.get("/query", function (req, res) {
app.get('/query', function (req, res) {
res.status(200).json({

@@ -597,11 +583,11 @@ query: req.query,

});
describe("Sanitize simple object", function () {
it("should sanitize clean body.", function (done) {
describe('Sanitize simple object', function () {
it('should sanitize clean body.', function (done) {
request(app)
.post("/body")
.post('/body')
.send({
y: 4,
z: false,
w: "bla bla",
a: "<p>Test</p>",
w: 'bla bla',
a: '<p>Test</p>',
})

@@ -614,4 +600,4 @@ .expect(

z: false,
w: "bla bla",
a: "<p>Test</p>",
w: 'bla bla',
a: '<p>Test</p>',
},

@@ -623,10 +609,10 @@ },

it("should sanitize clean headers.", function (done) {
it('should sanitize clean headers.', function (done) {
request(app)
.post("/headers")
.post('/headers')
.set({
y: "4",
z: "false",
w: "bla bla",
a: "<p>Test</p>",
y: '4',
z: 'false',
w: 'bla bla',
a: '<p>Test</p>',
})

@@ -636,6 +622,6 @@ .expect(200)

expect(res.body.headers).to.include({
y: "4",
z: "false",
w: "bla bla",
a: "<p>Test</p>",
y: '4',
z: 'false',
w: 'bla bla',
a: '<p>Test</p>',
});

@@ -646,5 +632,5 @@ })

it("should sanitize clean query.", function (done) {
it('should sanitize clean query.', function (done) {
request(app)
.get("/query?y=4&z=false&w=bla bla&a=<p>Test</p>")
.get('/query?y=4&z=false&w=bla bla&a=<p>Test</p>')
.expect(

@@ -654,6 +640,6 @@ 200,

query: {
y: "4",
z: "false",
w: "bla bla",
a: "<p>Test</p>",
y: '4',
z: 'false',
w: 'bla bla',
a: '<p>Test</p>',
},

@@ -665,7 +651,7 @@ },

it("should sanitize dirty body.", function (done) {
it('should sanitize dirty body.', function (done) {
request(app)
.post("/body")
.post('/body')
.send({
a: "<script>Test</script>",
a: '<script>Test</script>',
b: '<p onclick="return;">Test</p>',

@@ -678,5 +664,5 @@ c: '<img src="/"/>',

body: {
a: "",
b: "<p>Test</p>",
c: "",
a: '',
b: '<p>Test</p>',
c: '',
},

@@ -688,7 +674,5 @@ },

it("should not sanitize dirty query.", function (done) {
it('should not sanitize dirty query.', function (done) {
request(app)
.get(
'/query?a=<script>Test</script>&b=<p onclick="return;">Test</p>&c=<img src="/"/>',
)
.get('/query?a=<script>Test</script>&b=<p onclick="return;">Test</p>&c=<img src="/"/>')
.expect(

@@ -698,3 +682,3 @@ 200,

query: {
a: "<script>Test</script>",
a: '<script>Test</script>',
b: '<p onclick="return;">Test</p>',

@@ -708,7 +692,7 @@ c: '<img src="/"/>',

it("should sanitize dirty headers.", function (done) {
it('should sanitize dirty headers.', function (done) {
request(app)
.post("/headers")
.post('/headers')
.set({
a: "<script>Test</script>",
a: '<script>Test</script>',
b: '<p onclick="return;">Test</p>',

@@ -720,5 +704,5 @@ c: '<img src="/"/>',

expect(res.body.headers).to.include({
a: "",
b: "<p>Test</p>",
c: "",
a: '',
b: '<p>Test</p>',
c: '',
});

@@ -730,16 +714,16 @@ })

describe("Sanitize complex object", function () {
it("should sanitize clean body.", function (done) {
describe('Sanitize complex object', function () {
it('should sanitize clean body.', function (done) {
request(app)
.post("/body")
.post('/body')
.send({
y: 4,
z: false,
w: "bla bla",
a: "<p>Test</p>",
w: 'bla bla',
a: '<p>Test</p>',
arr: [
"<h1>H1 Test</h1>",
"bla bla",
'<h1>H1 Test</h1>',
'bla bla',
{
i: ["<h3>H3 Test</h3>", "bla bla", false, 5],
i: ['<h3>H3 Test</h3>', 'bla bla', false, 5],
j: '<a href="/">Link</a>',

@@ -749,5 +733,5 @@ },

obj: {
e: "Test1",
e: 'Test1',
r: {
a: "<h6>H6 Test</h6>",
a: '<h6>H6 Test</h6>',
},

@@ -762,9 +746,9 @@ },

z: false,
w: "bla bla",
a: "<p>Test</p>",
w: 'bla bla',
a: '<p>Test</p>',
arr: [
"<h1>H1 Test</h1>",
"bla bla",
'<h1>H1 Test</h1>',
'bla bla',
{
i: ["<h3>H3 Test</h3>", "bla bla", false, 5],
i: ['<h3>H3 Test</h3>', 'bla bla', false, 5],
j: '<a href="/">Link</a>',

@@ -774,5 +758,5 @@ },

obj: {
e: "Test1",
e: 'Test1',
r: {
a: "<h6>H6 Test</h6>",
a: '<h6>H6 Test</h6>',
},

@@ -786,7 +770,7 @@ },

it("should sanitize dirty body.", function (done) {
it('should sanitize dirty body.', function (done) {
request(app)
.post("/body")
.post('/body')
.send({
a: "<script>Test</script>",
a: '<script>Test</script>',
b: '<p onclick="return;">Test</p>',

@@ -796,10 +780,5 @@ c: '<img src="/"/>',

"<h1 onclick='return false;'>H1 Test</h1>",
"bla bla",
'bla bla',
{
i: [
"<h3 onclick='function x(e) {console.log(e); return;}'>H3 Test</h3>",
"bla bla",
false,
5,
],
i: ["<h3 onclick='function x(e) {console.log(e); return;}'>H3 Test</h3>", 'bla bla', false, 5],
j: '<a href="/" onclick="return 0;">Link</a>',

@@ -811,3 +790,3 @@ },

r: {
a: "<h6>H6 Test</h6>",
a: '<h6>H6 Test</h6>',
},

@@ -820,10 +799,10 @@ },

body: {
a: "",
b: "<p>Test</p>",
c: "",
a: '',
b: '<p>Test</p>',
c: '',
arr: [
"<h1>H1 Test</h1>",
"bla bla",
'<h1>H1 Test</h1>',
'bla bla',
{
i: ["<h3>H3 Test</h3>", "bla bla", false, 5],
i: ['<h3>H3 Test</h3>', 'bla bla', false, 5],
j: '<a href="/">Link</a>',

@@ -833,5 +812,5 @@ },

obj: {
e: "",
e: '',
r: {
a: "<h6>H6 Test</h6>",
a: '<h6>H6 Test</h6>',
},

@@ -847,3 +826,3 @@ },

describe("Sanitize with custom options as middleware before each route", function () {
describe('Sanitize with custom options as middleware before each route', function () {
const app = express();

@@ -853,3 +832,3 @@ app.use(bodyParser.urlencoded({ extended: true }));

app.post("/body", xss({ allowedKeys: ["c"] }), function (req, res) {
app.post('/body', xss({ allowedKeys: ['c'] }), function (req, res) {
res.status(200).json({

@@ -860,3 +839,3 @@ body: req.body,

app.post("/headers", xss(), function (req, res) {
app.post('/headers', xss(), function (req, res) {
res.status(200).json({

@@ -867,3 +846,3 @@ headers: req.headers,

app.get("/query", function (req, res) {
app.get('/query', function (req, res) {
res.status(200).json({

@@ -873,11 +852,11 @@ query: req.query,

});
describe("Sanitize simple object", function () {
it("should sanitize clean body.", function (done) {
describe('Sanitize simple object', function () {
it('should sanitize clean body.', function (done) {
request(app)
.post("/body")
.post('/body')
.send({
y: 4,
z: false,
w: "bla bla",
a: "<p>Test</p>",
w: 'bla bla',
a: '<p>Test</p>',
})

@@ -890,4 +869,4 @@ .expect(

z: false,
w: "bla bla",
a: "<p>Test</p>",
w: 'bla bla',
a: '<p>Test</p>',
},

@@ -899,10 +878,10 @@ },

it("should sanitize clean headers.", function (done) {
it('should sanitize clean headers.', function (done) {
request(app)
.post("/headers")
.post('/headers')
.set({
y: "4",
z: "false",
w: "bla bla",
a: "<p>Test</p>",
y: '4',
z: 'false',
w: 'bla bla',
a: '<p>Test</p>',
})

@@ -912,6 +891,6 @@ .expect(200)

expect(res.body.headers).to.include({
y: "4",
z: "false",
w: "bla bla",
a: "<p>Test</p>",
y: '4',
z: 'false',
w: 'bla bla',
a: '<p>Test</p>',
});

@@ -922,5 +901,5 @@ })

it("should sanitize clean query.", function (done) {
it('should sanitize clean query.', function (done) {
request(app)
.get("/query?y=4&z=false&w=bla bla&a=<p>Test</p>")
.get('/query?y=4&z=false&w=bla bla&a=<p>Test</p>')
.expect(

@@ -930,6 +909,6 @@ 200,

query: {
y: "4",
z: "false",
w: "bla bla",
a: "<p>Test</p>",
y: '4',
z: 'false',
w: 'bla bla',
a: '<p>Test</p>',
},

@@ -941,7 +920,7 @@ },

it("should sanitize dirty body.", function (done) {
it('should sanitize dirty body.', function (done) {
request(app)
.post("/body")
.post('/body')
.send({
a: "<script>Test</script>",
a: '<script>Test</script>',
b: '<p onclick="return;">Test</p>',

@@ -954,4 +933,4 @@ c: '<img src="/"/>',

body: {
a: "",
b: "<p>Test</p>",
a: '',
b: '<p>Test</p>',
c: '<img src="/"/>',

@@ -964,7 +943,5 @@ },

it("should not sanitize dirty query.", function (done) {
it('should not sanitize dirty query.', function (done) {
request(app)
.get(
'/query?a=<script>Test</script>&b=<p onclick="return;">Test</p>&c=<img src="/"/>',
)
.get('/query?a=<script>Test</script>&b=<p onclick="return;">Test</p>&c=<img src="/"/>')
.expect(

@@ -974,3 +951,3 @@ 200,

query: {
a: "<script>Test</script>",
a: '<script>Test</script>',
b: '<p onclick="return;">Test</p>',

@@ -984,7 +961,7 @@ c: '<img src="/"/>',

it("should sanitize dirty headers.", function (done) {
it('should sanitize dirty headers.', function (done) {
request(app)
.post("/headers")
.post('/headers')
.set({
a: "<script>Test</script>",
a: '<script>Test</script>',
b: '<p onclick="return;">Test</p>',

@@ -996,5 +973,5 @@ c: '<img src="/"/>',

expect(res.body.headers).to.include({
a: "",
b: "<p>Test</p>",
c: "",
a: '',
b: '<p>Test</p>',
c: '',
});

@@ -1006,16 +983,16 @@ })

describe("Sanitize complex object", function () {
it("should sanitize clean body.", function (done) {
describe('Sanitize complex object', function () {
it('should sanitize clean body.', function (done) {
request(app)
.post("/body")
.post('/body')
.send({
y: 4,
z: false,
w: "bla bla",
a: "<p>Test</p>",
w: 'bla bla',
a: '<p>Test</p>',
arr: [
"<h1>H1 Test</h1>",
"bla bla",
'<h1>H1 Test</h1>',
'bla bla',
{
i: ["<h3>H3 Test</h3>", "bla bla", false, 5],
i: ['<h3>H3 Test</h3>', 'bla bla', false, 5],
j: '<a href="/">Link</a>',

@@ -1026,5 +1003,5 @@ c: '<img src="/"/>',

obj: {
e: "Test1",
e: 'Test1',
r: {
a: "<h6>H6 Test</h6>",
a: '<h6>H6 Test</h6>',
},

@@ -1039,9 +1016,9 @@ },

z: false,
w: "bla bla",
a: "<p>Test</p>",
w: 'bla bla',
a: '<p>Test</p>',
arr: [
"<h1>H1 Test</h1>",
"bla bla",
'<h1>H1 Test</h1>',
'bla bla',
{
i: ["<h3>H3 Test</h3>", "bla bla", false, 5],
i: ['<h3>H3 Test</h3>', 'bla bla', false, 5],
j: '<a href="/">Link</a>',

@@ -1052,5 +1029,5 @@ c: '<img src="/"/>',

obj: {
e: "Test1",
e: 'Test1',
r: {
a: "<h6>H6 Test</h6>",
a: '<h6>H6 Test</h6>',
},

@@ -1064,7 +1041,7 @@ },

it("should sanitize dirty body.", function (done) {
it('should sanitize dirty body.', function (done) {
request(app)
.post("/body")
.post('/body')
.send({
a: "<script>Test</script>",
a: '<script>Test</script>',
b: '<p onclick="return;">Test</p>',

@@ -1074,10 +1051,5 @@ c: '<img src="/"/>',

"<h1 onclick='return false;'>H1 Test</h1>",
"bla bla",
'bla bla',
{
i: [
"<h3 onclick='function x(e) {console.log(e); return;}'>H3 Test</h3>",
"bla bla",
false,
5,
],
i: ["<h3 onclick='function x(e) {console.log(e); return;}'>H3 Test</h3>", 'bla bla', false, 5],
j: '<a href="/" onclick="return 0;">Link</a>',

@@ -1089,3 +1061,3 @@ },

r: {
a: "<h6>H6 Test</h6>",
a: '<h6>H6 Test</h6>',
},

@@ -1098,10 +1070,10 @@ },

body: {
a: "",
b: "<p>Test</p>",
a: '',
b: '<p>Test</p>',
c: '<img src="/"/>',
arr: [
"<h1>H1 Test</h1>",
"bla bla",
'<h1>H1 Test</h1>',
'bla bla',
{
i: ["<h3>H3 Test</h3>", "bla bla", false, 5],
i: ['<h3>H3 Test</h3>', 'bla bla', false, 5],
j: '<a href="/">Link</a>',

@@ -1111,5 +1083,5 @@ },

obj: {
e: "",
e: '',
r: {
a: "<h6>H6 Test</h6>",
a: '<h6>H6 Test</h6>',
},

@@ -1125,15 +1097,17 @@ },

describe("Sanitize data with default settings as function", function () {
describe("Sanitize simple object", function () {
it("should sanitize clean body.", function (done) {
expect(sanitize({
describe('Sanitize data with default settings as function', function () {
describe('Sanitize simple object', function () {
it('should sanitize clean body.', function (done) {
expect(
sanitize({
y: 4,
z: false,
w: 'bla bla',
a: '<p>Test</p>',
}),
).to.eql({
y: 4,
z: false,
w: "bla bla",
a: "<p>Test</p>",
})).to.eql({
y: 4,
z: false,
w: "bla bla",
a: "<p>Test</p>",
w: 'bla bla',
a: '<p>Test</p>',
});

@@ -1143,11 +1117,13 @@ done();

it("should sanitize dirty body.", function (done) {
expect(sanitize({
a: "<script>Test</script>",
b: '<p onclick="return;">Test</p>',
c: '<img src="/"/>',
})).to.eql({
a: "",
b: "<p>Test</p>",
c: "",
it('should sanitize dirty body.', function (done) {
expect(
sanitize({
a: '<script>Test</script>',
b: '<p onclick="return;">Test</p>',
c: '<img src="/"/>',
}),
).to.eql({
a: '',
b: '<p>Test</p>',
c: '',
});

@@ -1158,4 +1134,4 @@ done();

describe("Sanitize complex object", function () {
it("should sanitize clean body.", function (done) {
describe('Sanitize complex object', function () {
it('should sanitize clean body.', function (done) {
expect(

@@ -1165,9 +1141,9 @@ sanitize({

z: false,
w: "bla bla",
a: "<p>Test</p>",
w: 'bla bla',
a: '<p>Test</p>',
arr: [
"<h1>H1 Test</h1>",
"bla bla",
'<h1>H1 Test</h1>',
'bla bla',
{
i: ["<h3>H3 Test</h3>", "bla bla", false, 5],
i: ['<h3>H3 Test</h3>', 'bla bla', false, 5],
j: '<a href="/">Link</a>',

@@ -1177,5 +1153,5 @@ },

obj: {
e: "Test1",
e: 'Test1',
r: {
a: "<h6>H6 Test</h6>",
a: '<h6>H6 Test</h6>',
},

@@ -1187,9 +1163,9 @@ },

z: false,
w: "bla bla",
a: "<p>Test</p>",
w: 'bla bla',
a: '<p>Test</p>',
arr: [
"<h1>H1 Test</h1>",
"bla bla",
'<h1>H1 Test</h1>',
'bla bla',
{
i: ["<h3>H3 Test</h3>", "bla bla", false, 5],
i: ['<h3>H3 Test</h3>', 'bla bla', false, 5],
j: '<a href="/">Link</a>',

@@ -1199,5 +1175,5 @@ },

obj: {
e: "Test1",
e: 'Test1',
r: {
a: "<h6>H6 Test</h6>",
a: '<h6>H6 Test</h6>',
},

@@ -1209,6 +1185,6 @@ },

it("should sanitize dirty body.", function (done) {
it('should sanitize dirty body.', function (done) {
expect(
sanitize({
a: "<script>Test</script>",
a: '<script>Test</script>',
b: '<p onclick="return;">Test</p>',

@@ -1218,10 +1194,5 @@ c: '<img src="/"/>',

"<h1 onclick='return false;'>H1 Test</h1>",
"bla bla",
'bla bla',
{
i: [
"<h3 onclick='function x(e) {console.log(e); return;}'>H3 Test</h3>",
"bla bla",
false,
5,
],
i: ["<h3 onclick='function x(e) {console.log(e); return;}'>H3 Test</h3>", 'bla bla', false, 5],
j: '<a href="/" onclick="return 0;">Link</a>',

@@ -1233,3 +1204,3 @@ },

r: {
a: "<h6>H6 Test</h6>",
a: '<h6>H6 Test</h6>',
},

@@ -1239,10 +1210,10 @@ },

).to.eql({
a: "",
b: "<p>Test</p>",
c: "",
a: '',
b: '<p>Test</p>',
c: '',
arr: [
"<h1>H1 Test</h1>",
"bla bla",
'<h1>H1 Test</h1>',
'bla bla',
{
i: ["<h3>H3 Test</h3>", "bla bla", false, 5],
i: ['<h3>H3 Test</h3>', 'bla bla', false, 5],
j: '<a href="/">Link</a>',

@@ -1252,5 +1223,5 @@ },

obj: {
e: "",
e: '',
r: {
a: "<h6>H6 Test</h6>",
a: '<h6>H6 Test</h6>',
},

@@ -1263,7 +1234,5 @@ },

describe("Sanitize null value", function () {
it("should return null.", function (done) {
expect(
sanitize(null),
).to.eql(null);
describe('Sanitize null value', function () {
it('should return null.', function (done) {
expect(sanitize(null)).to.eql(null);
done();

@@ -1274,13 +1243,18 @@ });

describe("Sanitize data with custom options as function", function () {
describe("Sanitize simple object", function () {
it("should sanitize dirty body.", function (done) {
expect(sanitize({
a: "<script>Test</script>",
b: '<p onclick="return;">Test</p>',
describe('Sanitize data with custom options as function', function () {
describe('Sanitize simple object', function () {
it('should sanitize dirty body.', function (done) {
expect(
sanitize(
{
a: '<script>Test</script>',
b: '<p onclick="return;">Test</p>',
c: '<img src="/"/>',
},
{ allowedKeys: ['c'] },
),
).to.eql({
a: '',
b: '<p>Test</p>',
c: '<img src="/"/>',
}, { allowedKeys: ["c"] })).to.eql({
a: "",
b: "<p>Test</p>",
c: '<img src="/"/>',
});

@@ -1291,36 +1265,57 @@ done();

describe("Sanitize complex object", function () {
it("should sanitize dirty body.", function (done) {
expect(sanitize({
a: "<script>Test</script>",
b: '<p onclick="return;">Test</p>',
c: '<img src="/"/>',
arr: [
"<h1 onclick='return false;'>H1 Test</h1>",
"bla bla",
describe('Sanitize complex object with attributes', function () {
it('should sanitize but keep asked attributes.', function (done) {
expect(
sanitize(
{
i: [
"<h3 onclick='function x(e) {console.log(e); return;}'>H3 Test</h3>",
"bla bla",
false,
5,
d: '<input value="some value" class="test-class" />',
},
{
allowedTags: ['input'],
allowedAttributes: {
input: ['value'],
},
},
),
).to.eql({
d: '<input value="some value" />',
});
done();
});
});
describe('Sanitize complex object', function () {
it('should sanitize dirty body.', function (done) {
expect(
sanitize(
{
a: '<script>Test</script>',
b: '<p onclick="return;">Test</p>',
c: '<img src="/"/>',
arr: [
"<h1 onclick='return false;'>H1 Test</h1>",
'bla bla',
{
i: ["<h3 onclick='function x(e) {console.log(e); return;}'>H3 Test</h3>", 'bla bla', false, 5],
j: '<a href="/" onclick="return 0;">Link</a>',
},
],
j: '<a href="/" onclick="return 0;">Link</a>',
obj: {
e: '<script>while (true){alert("Test To OO")}</script>',
r: {
a: '<h6>H6 Test</h6>',
},
},
},
],
obj: {
e: '<script>while (true){alert("Test To OO")}</script>',
r: {
a: "<h6>H6 Test</h6>",
},
},
}, { allowedKeys: ["e"] })).to.eql({
a: "",
b: "<p>Test</p>",
c: "",
{ allowedKeys: ['e'] },
),
).to.eql({
a: '',
b: '<p>Test</p>',
c: '',
arr: [
"<h1>H1 Test</h1>",
"bla bla",
'<h1>H1 Test</h1>',
'bla bla',
{
i: ["<h3>H3 Test</h3>", "bla bla", false, 5],
i: ['<h3>H3 Test</h3>', 'bla bla', false, 5],
j: '<a href="/">Link</a>',

@@ -1332,3 +1327,3 @@ },

r: {
a: "<h6>H6 Test</h6>",
a: '<h6>H6 Test</h6>',
},

@@ -1342,13 +1337,18 @@ },

describe("Sanitize data with custom options as function", function () {
describe("Sanitize simple object", function () {
it("should sanitize dirty body.", function (done) {
expect(sanitize({
a: "<script>Test</script>",
b: '<p onclick="return;">Test</p>',
describe('Sanitize data with custom options as function', function () {
describe('Sanitize simple object', function () {
it('should sanitize dirty body.', function (done) {
expect(
sanitize(
{
a: '<script>Test</script>',
b: '<p onclick="return;">Test</p>',
c: '<img src="/"/>',
},
{ allowedKeys: ['c'] },
),
).to.eql({
a: '',
b: '<p>Test</p>',
c: '<img src="/"/>',
}, { allowedKeys: ["c"] })).to.eql({
a: "",
b: "<p>Test</p>",
c: '<img src="/"/>',
});

@@ -1359,10 +1359,15 @@ done();

describe("XSS bypass by using prototype pollution issue", function () {
it("should sanitize dirty data after prototype pollution.", function (done) {
describe('XSS bypass by using prototype pollution issue', function () {
it('should sanitize dirty data after prototype pollution.', function (done) {
// eslint-disable-next-line no-extend-native
Object.prototype.allowedTags = ['script'];
expect(sanitize({
a: "<script>Test</script>",
}, {})).to.eql({
a: "",
expect(
sanitize(
{
a: '<script>Test</script>',
},
{},
),
).to.eql({
a: '',
});

@@ -1369,0 +1374,0 @@ done();

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap

About

Packages

Stay in touch

Get open source security insights delivered straight into your inbox.

  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc