New Case Study:See how Anthropic automated 95% of dependency reviews with Socket.Learn More
Socket
Sign inDemoInstall
Socket
Sign inDemoInstall

express-xss-sanitizer

Package Overview
Dependencies
Maintainers
0
Versions
16
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

express-xss-sanitizer - npm Package Compare versions

Comparing version 1.2.0 to 1.2.1

.trunk/actions/trunk-single-player-auto-on-upgrade/2024-11-15-11-21-01.366.yaml

2

package.json
{
"name": "express-xss-sanitizer",
"version": "1.2.0",
"version": "1.2.1",
"description": "Express 4.x middleware which sanitizes user input data (in req.body, req.query, req.headers and req.params) to prevent Cross Site Scripting (XSS) attack.",

@@ -5,0 +5,0 @@ "main": "index.js",

28

README.md

@@ -16,3 +16,3 @@ # Express XSS Sanitizer

Add as a piece of express middleware, before defining your routes.
```
```javascript
const express = require('express');

@@ -29,3 +29,3 @@ const bodyParser = require('body-parser');

You can add options to specify allowed keys or allowed attributes to be skipped at sanitization
```
```javascript
const options = {

@@ -41,3 +41,3 @@ allowedKeys: ['name'],

You can add options to specify allowed tags to sanitize it and remove other tags
```
```javascript
const options = {

@@ -50,3 +50,3 @@ allowedTags: ['h1']

Add as a piece of express middleware, before single route.
```
```javascript
const express = require('express');

@@ -68,4 +68,20 @@ const bodyParser = require('body-parser');

```
__Note:__ if you adding xxs() as application level middleware, the xxs() will sanitize req.body, req.headers and req.query only and for req.params you must add xxs() as route level middleware like below example.
```javascript
const express = require('express');
const bodyParser = require('body-parser');
const { xss } = require('express-xss-sanitizer');
const app = express();
app.use(bodyParser.json({limit:'1kb'}));
app.use(bodyParser.urlencoded({extended: true, limit:'1kb'}));
app.post("/params/:val", xss(), function (req, res) {
// your code
});
```
You also can sanitize your data (object, array, string,etc) on the fly.
```
```javascript
const { sanitize } = require('express-xss-sanitizer');

@@ -89,2 +105,2 @@

## Support
Feel free to open issues on [github](https://github.com/AhmedAdelFahim/express-xss-sanitizer.git).
Feel free to open issues on [github](https://github.com/AhmedAdelFahim/express-xss-sanitizer.git).

2060

test/test.js

@@ -0,1 +1,2 @@

/* eslint-disable no-shadow */
/* eslint-disable prettier/prettier */

@@ -26,2 +27,14 @@ /* eslint-disable func-names */

app.post('/params/:val', function (req, res) {
res.status(200).json({
params: req.params,
});
});
app.post('/params-route-level/:val', xss(), function (req, res) {
res.status(200).json({
params: req.params,
});
});
app.post('/headers', function (req, res) {

@@ -39,19 +52,11 @@ res.status(200).json({

describe('Sanitize simple object', function () {
it('should sanitize clean body.', function (done) {
it('should sanitize clean params.', function (done) {
request(app)
.post('/body')
.send({
y: 4,
z: false,
w: 'bla bla',
a: '<p>Test</p>',
})
.post(`/params/${encodeURIComponent('<p>Test</p>')}`)
.send({})
.expect(
200,
{
body: {
y: 4,
z: false,
w: 'bla bla',
a: '<p>Test</p>',
params: {
val: '<p>Test</p>',
},

@@ -62,15 +67,30 @@ },

});
describe('Sanitize simple object', function () {
it('should sanitize clean body.', function (done) {
request(app)
.post('/body')
.send({
y: 4,
z: false,
w: 'bla bla',
a: '<p>Test</p>',
})
.expect(
200,
{
body: {
y: 4,
z: false,
w: 'bla bla',
a: '<p>Test</p>',
},
},
done,
);
});
it('should sanitize clean headers.', function (done) {
request(app)
.post('/headers')
.set({
y: '4',
z: 'false',
w: 'bla bla',
a: '<p>Test</p>',
})
.expect(200)
.expect(function (res) {
expect(res.body.headers).to.include({
it('should sanitize clean headers.', function (done) {
request(app)
.post('/headers')
.set({
y: '4',

@@ -80,14 +100,6 @@ z: 'false',

a: '<p>Test</p>',
});
})
.end(done);
});
it('should sanitize clean query.', function (done) {
request(app)
.get('/query?y=4&z=false&w=bla bla&a=<p>Test</p>')
.expect(
200,
{
query: {
})
.expect(200)
.expect(function (res) {
expect(res.body.headers).to.include({
y: '4',

@@ -97,230 +109,253 @@ z: 'false',

a: '<p>Test</p>',
});
})
.end(done);
});
it('should sanitize clean query.', function (done) {
request(app)
.get('/query?y=4&z=false&w=bla bla&a=<p>Test</p>')
.expect(
200,
{
query: {
y: '4',
z: 'false',
w: 'bla bla',
a: '<p>Test</p>',
},
},
},
done,
);
});
done,
);
});
it('should sanitize dirty body.', function (done) {
request(app)
.post('/body')
.send({
a: '<script>Test</script>',
b: '<p onclick="return;">Test</p>',
c: '<img src="/"/>',
})
.expect(
200,
{
body: {
a: '',
b: '<p>Test</p>',
c: '',
it('should sanitize dirty params.', function (done) {
request(app)
.post(`/params-route-level/${encodeURIComponent('<script>Test</script>')}`)
.send({})
.expect(
200,
{
params: {
val: '',
},
},
},
done,
);
});
done,
);
});
it('should sanitize dirty query.', function (done) {
request(app)
.get('/query?a=<script>Test</script>&b=<p onclick="return;">Test</p>&c=<img src="/"/>')
.expect(
200,
{
query: {
it('should sanitize dirty body.', function (done) {
request(app)
.post('/body')
.send({
a: '<script>Test</script>',
b: '<p onclick="return;">Test</p>',
c: '<img src="/"/>',
})
.expect(
200,
{
body: {
a: '',
b: '<p>Test</p>',
c: '',
},
},
done,
);
});
it('should sanitize dirty query.', function (done) {
request(app)
.get('/query?a=<script>Test</script>&b=<p onclick="return;">Test</p>&c=<img src="/"/>')
.expect(
200,
{
query: {
a: '',
b: '<p>Test</p>',
c: '',
},
},
done,
);
});
it('should sanitize dirty headers.', function (done) {
request(app)
.post('/headers')
.set({
a: '<script>Test</script>',
b: '<p onclick="return;">Test</p>',
c: '<img src="/"/>',
})
.expect(200)
.expect(function (res) {
expect(res.body.headers).to.include({
a: '',
b: '<p>Test</p>',
c: '',
},
},
done,
);
});
})
.end(done);
});
});
it('should sanitize dirty headers.', function (done) {
request(app)
.post('/headers')
.set({
a: '<script>Test</script>',
b: '<p onclick="return;">Test</p>',
c: '<img src="/"/>',
})
.expect(200)
.expect(function (res) {
expect(res.body.headers).to.include({
a: '',
b: '<p>Test</p>',
c: '',
});
})
.end(done);
});
});
describe('Sanitize complex object', function () {
it('should sanitize clean body.', function (done) {
request(app)
.post('/body')
.send({
y: 4,
z: false,
w: 'bla bla',
a: '<p>Test</p>',
arr: [
'<h1>H1 Test</h1>',
'bla bla',
describe('Sanitize complex object', function () {
it('should sanitize clean body.', function (done) {
request(app)
.post('/body')
.send({
y: 4,
z: false,
w: 'bla bla',
a: '<p>Test</p>',
arr: [
'<h1>H1 Test</h1>',
'bla bla',
{
i: ['<h3>H3 Test</h3>', 'bla bla', false, 5],
j: '<a href="/">Link</a>',
},
],
obj: {
e: 'Test1',
r: {
a: '<h6>H6 Test</h6>',
},
},
})
.expect(
200,
{
i: ['<h3>H3 Test</h3>', 'bla bla', false, 5],
j: '<a href="/">Link</a>',
},
],
obj: {
e: 'Test1',
r: {
a: '<h6>H6 Test</h6>',
},
},
})
.expect(
200,
{
body: {
y: 4,
z: false,
w: 'bla bla',
a: '<p>Test</p>',
arr: [
'<h1>H1 Test</h1>',
'bla bla',
{
i: ['<h3>H3 Test</h3>', 'bla bla', false, 5],
j: '<a href="/">Link</a>',
body: {
y: 4,
z: false,
w: 'bla bla',
a: '<p>Test</p>',
arr: [
'<h1>H1 Test</h1>',
'bla bla',
{
i: ['<h3>H3 Test</h3>', 'bla bla', false, 5],
j: '<a href="/">Link</a>',
},
],
obj: {
e: 'Test1',
r: {
a: '<h6>H6 Test</h6>',
},
},
],
obj: {
e: 'Test1',
r: {
a: '<h6>H6 Test</h6>',
},
},
},
},
done,
);
});
done,
);
});
it('should sanitize dirty body.', function (done) {
request(app)
.post('/body')
.send({
a: '<script>Test</script>',
b: '<p onclick="return;">Test</p>',
c: '<img src="/"/>',
arr: [
"<h1 onclick='return false;'>H1 Test</h1>",
'bla bla',
it('should sanitize dirty body.', function (done) {
request(app)
.post('/body')
.send({
a: '<script>Test</script>',
b: '<p onclick="return;">Test</p>',
c: '<img src="/"/>',
arr: [
"<h1 onclick='return false;'>H1 Test</h1>",
'bla bla',
{
i: ["<h3 onclick='function x(e) {console.log(e); return;}'>H3 Test</h3>", 'bla bla', false, 5],
j: '<a href="/" onclick="return 0;">Link</a>',
},
],
obj: {
e: '<script>while (true){alert("Test To OO")}</script>',
r: {
a: '<h6>H6 Test</h6>',
},
},
})
.expect(
200,
{
i: ["<h3 onclick='function x(e) {console.log(e); return;}'>H3 Test</h3>", 'bla bla', false, 5],
j: '<a href="/" onclick="return 0;">Link</a>',
},
],
obj: {
e: '<script>while (true){alert("Test To OO")}</script>',
r: {
a: '<h6>H6 Test</h6>',
},
},
})
.expect(
200,
{
body: {
a: '',
b: '<p>Test</p>',
c: '',
arr: [
'<h1>H1 Test</h1>',
'bla bla',
{
i: ['<h3>H3 Test</h3>', 'bla bla', false, 5],
j: '<a href="/">Link</a>',
body: {
a: '',
b: '<p>Test</p>',
c: '',
arr: [
'<h1>H1 Test</h1>',
'bla bla',
{
i: ['<h3>H3 Test</h3>', 'bla bla', false, 5],
j: '<a href="/">Link</a>',
},
],
obj: {
e: '',
r: {
a: '<h6>H6 Test</h6>',
},
},
],
obj: {
e: '',
r: {
a: '<h6>H6 Test</h6>',
},
},
},
},
done,
);
done,
);
});
});
});
});
describe('Sanitize with custom options as middleware before all routes', function () {
const app = express();
const options = {
allowedKeys: ['c'],
};
app.use(bodyParser.urlencoded({ extended: true }));
app.use(bodyParser.json());
app.use(xss(options));
describe('Sanitize with custom options as middleware before all routes', function () {
const app = express();
const options = {
allowedKeys: ['c'],
};
app.use(bodyParser.urlencoded({ extended: true }));
app.use(bodyParser.json());
app.use(xss(options));
app.post('/body', function (req, res) {
res.status(200).json({
body: req.body,
app.post('/body', function (req, res) {
res.status(200).json({
body: req.body,
});
});
});
app.post('/headers', function (req, res) {
res.status(200).json({
headers: req.headers,
app.post('/headers', function (req, res) {
res.status(200).json({
headers: req.headers,
});
});
});
app.get('/query', function (req, res) {
res.status(200).json({
query: req.query,
app.get('/query', function (req, res) {
res.status(200).json({
query: req.query,
});
});
});
describe('Sanitize simple object', function () {
it('should sanitize clean body.', function (done) {
request(app)
.post('/body')
.send({
y: 4,
z: false,
w: 'bla bla',
a: '<p>Test</p>',
})
.expect(
200,
{
body: {
y: 4,
z: false,
w: 'bla bla',
a: '<p>Test</p>',
describe('Sanitize simple object', function () {
it('should sanitize clean body.', function (done) {
request(app)
.post('/body')
.send({
y: 4,
z: false,
w: 'bla bla',
a: '<p>Test</p>',
})
.expect(
200,
{
body: {
y: 4,
z: false,
w: 'bla bla',
a: '<p>Test</p>',
},
},
},
done,
);
});
done,
);
});
it('should sanitize clean headers.', function (done) {
request(app)
.post('/headers')
.set({
y: '4',
z: 'false',
w: 'bla bla',
a: '<p>Test</p>',
})
.expect(200)
.expect(function (res) {
expect(res.body.headers).to.include({
it('should sanitize clean headers.', function (done) {
request(app)
.post('/headers')
.set({
y: '4',

@@ -330,14 +365,6 @@ z: 'false',

a: '<p>Test</p>',
});
})
.end(done);
});
it('should sanitize clean query.', function (done) {
request(app)
.get('/query?y=4&z=false&w=bla bla&a=<p>Test</p>')
.expect(
200,
{
query: {
})
.expect(200)
.expect(function (res) {
expect(res.body.headers).to.include({
y: '4',

@@ -347,226 +374,234 @@ z: 'false',

a: '<p>Test</p>',
});
})
.end(done);
});
it('should sanitize clean query.', function (done) {
request(app)
.get('/query?y=4&z=false&w=bla bla&a=<p>Test</p>')
.expect(
200,
{
query: {
y: '4',
z: 'false',
w: 'bla bla',
a: '<p>Test</p>',
},
},
},
done,
);
});
done,
);
});
it('should sanitize dirty body.', function (done) {
request(app)
.post('/body')
.send({
a: '<script>Test</script>',
b: '<p onclick="return;">Test</p>',
c: '<img src="/"/>',
})
.expect(
200,
{
body: {
a: '',
b: '<p>Test</p>',
c: '<img src="/"/>',
it('should sanitize dirty body.', function (done) {
request(app)
.post('/body')
.send({
a: '<script>Test</script>',
b: '<p onclick="return;">Test</p>',
c: '<img src="/"/>',
})
.expect(
200,
{
body: {
a: '',
b: '<p>Test</p>',
c: '<img src="/"/>',
},
},
},
done,
);
});
done,
);
});
it('should sanitize dirty query.', function (done) {
request(app)
.get('/query?a=<script>Test</script>&b=<p onclick="return;">Test</p>&c=<img src="/"/>')
.expect(
200,
{
query: {
it('should sanitize dirty query.', function (done) {
request(app)
.get('/query?a=<script>Test</script>&b=<p onclick="return;">Test</p>&c=<img src="/"/>')
.expect(
200,
{
query: {
a: '',
b: '<p>Test</p>',
c: '<img src="/"/>',
},
},
done,
);
});
it('should sanitize dirty headers.', function (done) {
request(app)
.post('/headers')
.set({
a: '<script>Test</script>',
b: '<p onclick="return;">Test</p>',
c: '<img src="/"/>',
})
.expect(200)
.expect(function (res) {
expect(res.body.headers).to.include({
a: '',
b: '<p>Test</p>',
c: '<img src="/"/>',
},
},
done,
);
});
})
.end(done);
});
});
it('should sanitize dirty headers.', function (done) {
request(app)
.post('/headers')
.set({
a: '<script>Test</script>',
b: '<p onclick="return;">Test</p>',
c: '<img src="/"/>',
})
.expect(200)
.expect(function (res) {
expect(res.body.headers).to.include({
a: '',
b: '<p>Test</p>',
c: '<img src="/"/>',
});
})
.end(done);
});
});
describe('Sanitize complex object', function () {
it('should sanitize clean body.', function (done) {
request(app)
.post('/body')
.send({
y: 4,
z: false,
w: 'bla bla',
a: '<p>Test</p>',
arr: [
'<h1>H1 Test</h1>',
'bla bla',
describe('Sanitize complex object', function () {
it('should sanitize clean body.', function (done) {
request(app)
.post('/body')
.send({
y: 4,
z: false,
w: 'bla bla',
a: '<p>Test</p>',
arr: [
'<h1>H1 Test</h1>',
'bla bla',
{
i: ['<h3>H3 Test</h3>', 'bla bla', false, 5],
j: '<a href="/">Link</a>',
},
],
obj: {
e: 'Test1',
r: {
a: '<h6>H6 Test</h6>',
},
},
})
.expect(
200,
{
i: ['<h3>H3 Test</h3>', 'bla bla', false, 5],
j: '<a href="/">Link</a>',
},
],
obj: {
e: 'Test1',
r: {
a: '<h6>H6 Test</h6>',
},
},
})
.expect(
200,
{
body: {
y: 4,
z: false,
w: 'bla bla',
a: '<p>Test</p>',
arr: [
'<h1>H1 Test</h1>',
'bla bla',
{
i: ['<h3>H3 Test</h3>', 'bla bla', false, 5],
j: '<a href="/">Link</a>',
body: {
y: 4,
z: false,
w: 'bla bla',
a: '<p>Test</p>',
arr: [
'<h1>H1 Test</h1>',
'bla bla',
{
i: ['<h3>H3 Test</h3>', 'bla bla', false, 5],
j: '<a href="/">Link</a>',
},
],
obj: {
e: 'Test1',
r: {
a: '<h6>H6 Test</h6>',
},
},
],
obj: {
e: 'Test1',
r: {
a: '<h6>H6 Test</h6>',
},
},
},
},
done,
);
});
done,
);
});
it('should sanitize dirty body.', function (done) {
request(app)
.post('/body')
.send({
a: '<script>Test</script>',
b: '<p onclick="return;">Test</p>',
c: '<img src="/"/>',
arr: [
"<h1 onclick='return false;'>H1 Test</h1>",
'bla bla',
it('should sanitize dirty body.', function (done) {
request(app)
.post('/body')
.send({
a: '<script>Test</script>',
b: '<p onclick="return;">Test</p>',
c: '<img src="/"/>',
arr: [
"<h1 onclick='return false;'>H1 Test</h1>",
'bla bla',
{
i: ["<h3 onclick='function x(e) {console.log(e); return;}'>H3 Test</h3>", 'bla bla', false, 5],
j: '<a href="/" onclick="return 0;">Link</a>',
},
],
obj: {
e: '<script>while (true){alert("Test To OO")}</script>',
r: {
a: '<h6>H6 Test</h6>',
},
},
})
.expect(
200,
{
i: ["<h3 onclick='function x(e) {console.log(e); return;}'>H3 Test</h3>", 'bla bla', false, 5],
j: '<a href="/" onclick="return 0;">Link</a>',
},
],
obj: {
e: '<script>while (true){alert("Test To OO")}</script>',
r: {
a: '<h6>H6 Test</h6>',
},
},
})
.expect(
200,
{
body: {
a: '',
b: '<p>Test</p>',
c: '<img src="/"/>',
arr: [
'<h1>H1 Test</h1>',
'bla bla',
{
i: ['<h3>H3 Test</h3>', 'bla bla', false, 5],
j: '<a href="/">Link</a>',
body: {
a: '',
b: '<p>Test</p>',
c: '<img src="/"/>',
arr: [
'<h1>H1 Test</h1>',
'bla bla',
{
i: ['<h3>H3 Test</h3>', 'bla bla', false, 5],
j: '<a href="/">Link</a>',
},
],
obj: {
e: '',
r: {
a: '<h6>H6 Test</h6>',
},
},
],
obj: {
e: '',
r: {
a: '<h6>H6 Test</h6>',
},
},
},
},
done,
);
done,
);
});
});
});
});
describe('Sanitize with default settings as middleware before each route', function () {
const app = express();
app.use(bodyParser.urlencoded({ extended: true }));
app.use(bodyParser.json());
describe('Sanitize with default settings as middleware before each route', function () {
const app = express();
app.use(bodyParser.urlencoded({ extended: true }));
app.use(bodyParser.json());
app.post('/body', xss(), function (req, res) {
res.status(200).json({
body: req.body,
app.post('/body', xss(), function (req, res) {
res.status(200).json({
body: req.body,
});
});
});
app.post('/headers', xss(), function (req, res) {
res.status(200).json({
headers: req.headers,
app.post('/headers', xss(), function (req, res) {
res.status(200).json({
headers: req.headers,
});
});
});
app.get('/query', function (req, res) {
res.status(200).json({
query: req.query,
app.get('/query', function (req, res) {
res.status(200).json({
query: req.query,
});
});
});
describe('Sanitize simple object', function () {
it('should sanitize clean body.', function (done) {
request(app)
.post('/body')
.send({
y: 4,
z: false,
w: 'bla bla',
a: '<p>Test</p>',
})
.expect(
200,
{
body: {
y: 4,
z: false,
w: 'bla bla',
a: '<p>Test</p>',
describe('Sanitize simple object', function () {
it('should sanitize clean body.', function (done) {
request(app)
.post('/body')
.send({
y: 4,
z: false,
w: 'bla bla',
a: '<p>Test</p>',
})
.expect(
200,
{
body: {
y: 4,
z: false,
w: 'bla bla',
a: '<p>Test</p>',
},
},
},
done,
);
});
done,
);
});
it('should sanitize clean headers.', function (done) {
request(app)
.post('/headers')
.set({
y: '4',
z: 'false',
w: 'bla bla',
a: '<p>Test</p>',
})
.expect(200)
.expect(function (res) {
expect(res.body.headers).to.include({
it('should sanitize clean headers.', function (done) {
request(app)
.post('/headers')
.set({
y: '4',

@@ -576,14 +611,6 @@ z: 'false',

a: '<p>Test</p>',
});
})
.end(done);
});
it('should sanitize clean query.', function (done) {
request(app)
.get('/query?y=4&z=false&w=bla bla&a=<p>Test</p>')
.expect(
200,
{
query: {
})
.expect(200)
.expect(function (res) {
expect(res.body.headers).to.include({
y: '4',

@@ -593,226 +620,234 @@ z: 'false',

a: '<p>Test</p>',
});
})
.end(done);
});
it('should sanitize clean query.', function (done) {
request(app)
.get('/query?y=4&z=false&w=bla bla&a=<p>Test</p>')
.expect(
200,
{
query: {
y: '4',
z: 'false',
w: 'bla bla',
a: '<p>Test</p>',
},
},
},
done,
);
});
done,
);
});
it('should sanitize dirty body.', function (done) {
request(app)
.post('/body')
.send({
a: '<script>Test</script>',
b: '<p onclick="return;">Test</p>',
c: '<img src="/"/>',
})
.expect(
200,
{
body: {
it('should sanitize dirty body.', function (done) {
request(app)
.post('/body')
.send({
a: '<script>Test</script>',
b: '<p onclick="return;">Test</p>',
c: '<img src="/"/>',
})
.expect(
200,
{
body: {
a: '',
b: '<p>Test</p>',
c: '',
},
},
done,
);
});
it('should not sanitize dirty query.', function (done) {
request(app)
.get('/query?a=<script>Test</script>&b=<p onclick="return;">Test</p>&c=<img src="/"/>')
.expect(
200,
{
query: {
a: '<script>Test</script>',
b: '<p onclick="return;">Test</p>',
c: '<img src="/"/>',
},
},
done,
);
});
it('should sanitize dirty headers.', function (done) {
request(app)
.post('/headers')
.set({
a: '<script>Test</script>',
b: '<p onclick="return;">Test</p>',
c: '<img src="/"/>',
})
.expect(200)
.expect(function (res) {
expect(res.body.headers).to.include({
a: '',
b: '<p>Test</p>',
c: '',
},
},
done,
);
});
})
.end(done);
});
});
it('should not sanitize dirty query.', function (done) {
request(app)
.get('/query?a=<script>Test</script>&b=<p onclick="return;">Test</p>&c=<img src="/"/>')
.expect(
200,
{
query: {
a: '<script>Test</script>',
b: '<p onclick="return;">Test</p>',
c: '<img src="/"/>',
describe('Sanitize complex object', function () {
it('should sanitize clean body.', function (done) {
request(app)
.post('/body')
.send({
y: 4,
z: false,
w: 'bla bla',
a: '<p>Test</p>',
arr: [
'<h1>H1 Test</h1>',
'bla bla',
{
i: ['<h3>H3 Test</h3>', 'bla bla', false, 5],
j: '<a href="/">Link</a>',
},
],
obj: {
e: 'Test1',
r: {
a: '<h6>H6 Test</h6>',
},
},
},
done,
);
});
it('should sanitize dirty headers.', function (done) {
request(app)
.post('/headers')
.set({
a: '<script>Test</script>',
b: '<p onclick="return;">Test</p>',
c: '<img src="/"/>',
})
.expect(200)
.expect(function (res) {
expect(res.body.headers).to.include({
a: '',
b: '<p>Test</p>',
c: '',
});
})
.end(done);
});
});
describe('Sanitize complex object', function () {
it('should sanitize clean body.', function (done) {
request(app)
.post('/body')
.send({
y: 4,
z: false,
w: 'bla bla',
a: '<p>Test</p>',
arr: [
'<h1>H1 Test</h1>',
'bla bla',
})
.expect(
200,
{
i: ['<h3>H3 Test</h3>', 'bla bla', false, 5],
j: '<a href="/">Link</a>',
},
],
obj: {
e: 'Test1',
r: {
a: '<h6>H6 Test</h6>',
},
},
})
.expect(
200,
{
body: {
y: 4,
z: false,
w: 'bla bla',
a: '<p>Test</p>',
arr: [
'<h1>H1 Test</h1>',
'bla bla',
{
i: ['<h3>H3 Test</h3>', 'bla bla', false, 5],
j: '<a href="/">Link</a>',
body: {
y: 4,
z: false,
w: 'bla bla',
a: '<p>Test</p>',
arr: [
'<h1>H1 Test</h1>',
'bla bla',
{
i: ['<h3>H3 Test</h3>', 'bla bla', false, 5],
j: '<a href="/">Link</a>',
},
],
obj: {
e: 'Test1',
r: {
a: '<h6>H6 Test</h6>',
},
},
],
obj: {
e: 'Test1',
r: {
a: '<h6>H6 Test</h6>',
},
},
},
},
done,
);
});
done,
);
});
it('should sanitize dirty body.', function (done) {
request(app)
.post('/body')
.send({
a: '<script>Test</script>',
b: '<p onclick="return;">Test</p>',
c: '<img src="/"/>',
arr: [
"<h1 onclick='return false;'>H1 Test</h1>",
'bla bla',
it('should sanitize dirty body.', function (done) {
request(app)
.post('/body')
.send({
a: '<script>Test</script>',
b: '<p onclick="return;">Test</p>',
c: '<img src="/"/>',
arr: [
"<h1 onclick='return false;'>H1 Test</h1>",
'bla bla',
{
i: ["<h3 onclick='function x(e) {console.log(e); return;}'>H3 Test</h3>", 'bla bla', false, 5],
j: '<a href="/" onclick="return 0;">Link</a>',
},
],
obj: {
e: '<script>while (true){alert("Test To OO")}</script>',
r: {
a: '<h6>H6 Test</h6>',
},
},
})
.expect(
200,
{
i: ["<h3 onclick='function x(e) {console.log(e); return;}'>H3 Test</h3>", 'bla bla', false, 5],
j: '<a href="/" onclick="return 0;">Link</a>',
},
],
obj: {
e: '<script>while (true){alert("Test To OO")}</script>',
r: {
a: '<h6>H6 Test</h6>',
},
},
})
.expect(
200,
{
body: {
a: '',
b: '<p>Test</p>',
c: '',
arr: [
'<h1>H1 Test</h1>',
'bla bla',
{
i: ['<h3>H3 Test</h3>', 'bla bla', false, 5],
j: '<a href="/">Link</a>',
body: {
a: '',
b: '<p>Test</p>',
c: '',
arr: [
'<h1>H1 Test</h1>',
'bla bla',
{
i: ['<h3>H3 Test</h3>', 'bla bla', false, 5],
j: '<a href="/">Link</a>',
},
],
obj: {
e: '',
r: {
a: '<h6>H6 Test</h6>',
},
},
],
obj: {
e: '',
r: {
a: '<h6>H6 Test</h6>',
},
},
},
},
done,
);
done,
);
});
});
});
});
describe('Sanitize with custom options as middleware before each route', function () {
const app = express();
app.use(bodyParser.urlencoded({ extended: true }));
app.use(bodyParser.json());
describe('Sanitize with custom options as middleware before each route', function () {
const app = express();
app.use(bodyParser.urlencoded({ extended: true }));
app.use(bodyParser.json());
app.post('/body', xss({ allowedKeys: ['c'] }), function (req, res) {
res.status(200).json({
body: req.body,
app.post('/body', xss({ allowedKeys: ['c'] }), function (req, res) {
res.status(200).json({
body: req.body,
});
});
});
app.post('/headers', xss(), function (req, res) {
res.status(200).json({
headers: req.headers,
app.post('/headers', xss(), function (req, res) {
res.status(200).json({
headers: req.headers,
});
});
});
app.get('/query', function (req, res) {
res.status(200).json({
query: req.query,
app.get('/query', function (req, res) {
res.status(200).json({
query: req.query,
});
});
});
describe('Sanitize simple object', function () {
it('should sanitize clean body.', function (done) {
request(app)
.post('/body')
.send({
y: 4,
z: false,
w: 'bla bla',
a: '<p>Test</p>',
})
.expect(
200,
{
body: {
y: 4,
z: false,
w: 'bla bla',
a: '<p>Test</p>',
describe('Sanitize simple object', function () {
it('should sanitize clean body.', function (done) {
request(app)
.post('/body')
.send({
y: 4,
z: false,
w: 'bla bla',
a: '<p>Test</p>',
})
.expect(
200,
{
body: {
y: 4,
z: false,
w: 'bla bla',
a: '<p>Test</p>',
},
},
},
done,
);
});
done,
);
});
it('should sanitize clean headers.', function (done) {
request(app)
.post('/headers')
.set({
y: '4',
z: 'false',
w: 'bla bla',
a: '<p>Test</p>',
})
.expect(200)
.expect(function (res) {
expect(res.body.headers).to.include({
it('should sanitize clean headers.', function (done) {
request(app)
.post('/headers')
.set({
y: '4',

@@ -822,14 +857,6 @@ z: 'false',

a: '<p>Test</p>',
});
})
.end(done);
});
it('should sanitize clean query.', function (done) {
request(app)
.get('/query?y=4&z=false&w=bla bla&a=<p>Test</p>')
.expect(
200,
{
query: {
})
.expect(200)
.expect(function (res) {
expect(res.body.headers).to.include({
y: '4',

@@ -839,175 +866,197 @@ z: 'false',

a: '<p>Test</p>',
});
})
.end(done);
});
it('should sanitize clean query.', function (done) {
request(app)
.get('/query?y=4&z=false&w=bla bla&a=<p>Test</p>')
.expect(
200,
{
query: {
y: '4',
z: 'false',
w: 'bla bla',
a: '<p>Test</p>',
},
},
},
done,
);
});
done,
);
});
it('should sanitize dirty body.', function (done) {
request(app)
.post('/body')
.send({
a: '<script>Test</script>',
b: '<p onclick="return;">Test</p>',
c: '<img src="/"/>',
})
.expect(
200,
{
body: {
a: '',
b: '<p>Test</p>',
c: '<img src="/"/>',
it('should sanitize dirty body.', function (done) {
request(app)
.post('/body')
.send({
a: '<script>Test</script>',
b: '<p onclick="return;">Test</p>',
c: '<img src="/"/>',
})
.expect(
200,
{
body: {
a: '',
b: '<p>Test</p>',
c: '<img src="/"/>',
},
},
},
done,
);
});
done,
);
});
it('should not sanitize dirty query.', function (done) {
request(app)
.get('/query?a=<script>Test</script>&b=<p onclick="return;">Test</p>&c=<img src="/"/>')
.expect(
200,
{
query: {
a: '<script>Test</script>',
b: '<p onclick="return;">Test</p>',
c: '<img src="/"/>',
it('should not sanitize dirty query.', function (done) {
request(app)
.get('/query?a=<script>Test</script>&b=<p onclick="return;">Test</p>&c=<img src="/"/>')
.expect(
200,
{
query: {
a: '<script>Test</script>',
b: '<p onclick="return;">Test</p>',
c: '<img src="/"/>',
},
},
},
done,
);
});
done,
);
});
it('should sanitize dirty headers.', function (done) {
request(app)
.post('/headers')
.set({
a: '<script>Test</script>',
b: '<p onclick="return;">Test</p>',
c: '<img src="/"/>',
})
.expect(200)
.expect(function (res) {
expect(res.body.headers).to.include({
a: '',
b: '<p>Test</p>',
c: '',
});
})
.end(done);
it('should sanitize dirty headers.', function (done) {
request(app)
.post('/headers')
.set({
a: '<script>Test</script>',
b: '<p onclick="return;">Test</p>',
c: '<img src="/"/>',
})
.expect(200)
.expect(function (res) {
expect(res.body.headers).to.include({
a: '',
b: '<p>Test</p>',
c: '',
});
})
.end(done);
});
});
});
describe('Sanitize complex object', function () {
it('should sanitize clean body.', function (done) {
request(app)
.post('/body')
.send({
y: 4,
z: false,
w: 'bla bla',
a: '<p>Test</p>',
arr: [
'<h1>H1 Test</h1>',
'bla bla',
describe('Sanitize complex object', function () {
it('should sanitize clean body.', function (done) {
request(app)
.post('/body')
.send({
y: 4,
z: false,
w: 'bla bla',
a: '<p>Test</p>',
arr: [
'<h1>H1 Test</h1>',
'bla bla',
{
i: ['<h3>H3 Test</h3>', 'bla bla', false, 5],
j: '<a href="/">Link</a>',
c: '<img src="/"/>',
},
],
obj: {
e: 'Test1',
r: {
a: '<h6>H6 Test</h6>',
},
},
})
.expect(
200,
{
i: ['<h3>H3 Test</h3>', 'bla bla', false, 5],
j: '<a href="/">Link</a>',
c: '<img src="/"/>',
},
],
obj: {
e: 'Test1',
r: {
a: '<h6>H6 Test</h6>',
},
},
})
.expect(
200,
{
body: {
y: 4,
z: false,
w: 'bla bla',
a: '<p>Test</p>',
arr: [
'<h1>H1 Test</h1>',
'bla bla',
{
i: ['<h3>H3 Test</h3>', 'bla bla', false, 5],
j: '<a href="/">Link</a>',
c: '<img src="/"/>',
body: {
y: 4,
z: false,
w: 'bla bla',
a: '<p>Test</p>',
arr: [
'<h1>H1 Test</h1>',
'bla bla',
{
i: ['<h3>H3 Test</h3>', 'bla bla', false, 5],
j: '<a href="/">Link</a>',
c: '<img src="/"/>',
},
],
obj: {
e: 'Test1',
r: {
a: '<h6>H6 Test</h6>',
},
},
],
obj: {
e: 'Test1',
r: {
a: '<h6>H6 Test</h6>',
},
},
},
},
done,
);
});
done,
);
});
it('should sanitize dirty body.', function (done) {
request(app)
.post('/body')
.send({
a: '<script>Test</script>',
b: '<p onclick="return;">Test</p>',
c: '<img src="/"/>',
arr: [
"<h1 onclick='return false;'>H1 Test</h1>",
'bla bla',
it('should sanitize dirty body.', function (done) {
request(app)
.post('/body')
.send({
a: '<script>Test</script>',
b: '<p onclick="return;">Test</p>',
c: '<img src="/"/>',
arr: [
"<h1 onclick='return false;'>H1 Test</h1>",
'bla bla',
{
i: ["<h3 onclick='function x(e) {console.log(e); return;}'>H3 Test</h3>", 'bla bla', false, 5],
j: '<a href="/" onclick="return 0;">Link</a>',
},
],
obj: {
e: '<script>while (true){alert("Test To OO")}</script>',
r: {
a: '<h6>H6 Test</h6>',
},
},
})
.expect(
200,
{
i: ["<h3 onclick='function x(e) {console.log(e); return;}'>H3 Test</h3>", 'bla bla', false, 5],
j: '<a href="/" onclick="return 0;">Link</a>',
},
],
obj: {
e: '<script>while (true){alert("Test To OO")}</script>',
r: {
a: '<h6>H6 Test</h6>',
},
},
})
.expect(
200,
{
body: {
a: '',
b: '<p>Test</p>',
c: '<img src="/"/>',
arr: [
'<h1>H1 Test</h1>',
'bla bla',
{
i: ['<h3>H3 Test</h3>', 'bla bla', false, 5],
j: '<a href="/">Link</a>',
body: {
a: '',
b: '<p>Test</p>',
c: '<img src="/"/>',
arr: [
'<h1>H1 Test</h1>',
'bla bla',
{
i: ['<h3>H3 Test</h3>', 'bla bla', false, 5],
j: '<a href="/">Link</a>',
},
],
obj: {
e: '',
r: {
a: '<h6>H6 Test</h6>',
},
},
],
obj: {
e: '',
r: {
a: '<h6>H6 Test</h6>',
},
},
},
},
done,
);
done,
);
});
});
});
});
describe('Sanitize data with default settings as function', function () {
describe('Sanitize simple object', function () {
it('should sanitize clean body.', function (done) {
expect(
sanitize({
describe('Sanitize data with default settings as function', function () {
describe('Sanitize simple object', function () {
it('should sanitize clean body.', function (done) {
expect(
sanitize({
y: 4,
z: false,
w: 'bla bla',
a: '<p>Test</p>',
}),
).to.eql({
y: 4,

@@ -1017,32 +1066,46 @@ z: false,

a: '<p>Test</p>',
}),
).to.eql({
y: 4,
z: false,
w: 'bla bla',
a: '<p>Test</p>',
});
done();
});
done();
});
it('should sanitize dirty body.', function (done) {
expect(
sanitize({
a: '<script>Test</script>',
b: '<p onclick="return;">Test</p>',
c: '<img src="/"/>',
}),
).to.eql({
a: '',
b: '<p>Test</p>',
c: '',
it('should sanitize dirty body.', function (done) {
expect(
sanitize({
a: '<script>Test</script>',
b: '<p onclick="return;">Test</p>',
c: '<img src="/"/>',
}),
).to.eql({
a: '',
b: '<p>Test</p>',
c: '',
});
done();
});
done();
});
});
describe('Sanitize complex object', function () {
it('should sanitize clean body.', function (done) {
expect(
sanitize({
describe('Sanitize complex object', function () {
it('should sanitize clean body.', function (done) {
expect(
sanitize({
y: 4,
z: false,
w: 'bla bla',
a: '<p>Test</p>',
arr: [
'<h1>H1 Test</h1>',
'bla bla',
{
i: ['<h3>H3 Test</h3>', 'bla bla', false, 5],
j: '<a href="/">Link</a>',
},
],
obj: {
e: 'Test1',
r: {
a: '<h6>H6 Test</h6>',
},
},
}),
).to.eql({
y: 4,

@@ -1066,42 +1129,41 @@ z: false,

},
}),
).to.eql({
y: 4,
z: false,
w: 'bla bla',
a: '<p>Test</p>',
arr: [
'<h1>H1 Test</h1>',
'bla bla',
{
i: ['<h3>H3 Test</h3>', 'bla bla', false, 5],
j: '<a href="/">Link</a>',
},
],
obj: {
e: 'Test1',
r: {
a: '<h6>H6 Test</h6>',
},
},
});
done();
});
done();
});
it('should sanitize dirty body.', function (done) {
expect(
sanitize({
a: '<script>Test</script>',
b: '<p onclick="return;">Test</p>',
c: '<img src="/"/>',
it('should sanitize dirty body.', function (done) {
expect(
sanitize({
a: '<script>Test</script>',
b: '<p onclick="return;">Test</p>',
c: '<img src="/"/>',
arr: [
"<h1 onclick='return false;'>H1 Test</h1>",
'bla bla',
{
i: ["<h3 onclick='function x(e) {console.log(e); return;}'>H3 Test</h3>", 'bla bla', false, 5],
j: '<a href="/" onclick="return 0;">Link</a>',
},
],
obj: {
e: '<script>while (true){alert("Test To OO")}</script>',
r: {
a: '<h6>H6 Test</h6>',
},
},
}),
).to.eql({
a: '',
b: '<p>Test</p>',
c: '',
arr: [
"<h1 onclick='return false;'>H1 Test</h1>",
'<h1>H1 Test</h1>',
'bla bla',
{
i: ["<h3 onclick='function x(e) {console.log(e); return;}'>H3 Test</h3>", 'bla bla', false, 5],
j: '<a href="/" onclick="return 0;">Link</a>',
i: ['<h3>H3 Test</h3>', 'bla bla', false, 5],
j: '<a href="/">Link</a>',
},
],
obj: {
e: '<script>while (true){alert("Test To OO")}</script>',
e: '',
r: {

@@ -1111,161 +1173,143 @@ a: '<h6>H6 Test</h6>',

},
}),
).to.eql({
a: '',
b: '<p>Test</p>',
c: '',
arr: [
'<h1>H1 Test</h1>',
'bla bla',
{
i: ['<h3>H3 Test</h3>', 'bla bla', false, 5],
j: '<a href="/">Link</a>',
},
],
obj: {
e: '',
r: {
a: '<h6>H6 Test</h6>',
},
},
});
done();
});
done();
});
});
describe('Sanitize null value', function () {
it('should return null.', function (done) {
expect(sanitize(null)).to.eql(null);
done();
describe('Sanitize null value', function () {
it('should return null.', function (done) {
expect(sanitize(null)).to.eql(null);
done();
});
});
});
});
describe('Sanitize data with custom options as function', function () {
describe('Sanitize simple object', function () {
it('should sanitize dirty body.', function (done) {
expect(
sanitize(
{
a: '<script>Test</script>',
b: '<p onclick="return;">Test</p>',
c: '<img src="/"/>',
},
{ allowedKeys: ['c'] },
),
).to.eql({
a: '',
b: '<p>Test</p>',
c: '<img src="/"/>',
describe('Sanitize data with custom options as function', function () {
describe('Sanitize simple object', function () {
it('should sanitize dirty body.', function (done) {
expect(
sanitize(
{
a: '<script>Test</script>',
b: '<p onclick="return;">Test</p>',
c: '<img src="/"/>',
},
{ allowedKeys: ['c'] },
),
).to.eql({
a: '',
b: '<p>Test</p>',
c: '<img src="/"/>',
});
done();
});
done();
});
});
describe('Sanitize complex object with attributes', function () {
it('should sanitize but keep asked attributes.', function (done) {
expect(
sanitize(
{
d: '<input value="some value" class="test-class" />',
},
{
allowedTags: ['input'],
allowedAttributes: {
input: ['value'],
describe('Sanitize complex object with attributes', function () {
it('should sanitize but keep asked attributes.', function (done) {
expect(
sanitize(
{
d: '<input value="some value" class="test-class" />',
},
},
),
).to.eql({
d: '<input value="some value" />',
{
allowedTags: ['input'],
allowedAttributes: {
input: ['value'],
},
},
),
).to.eql({
d: '<input value="some value" />',
});
done();
});
done();
});
});
describe('Sanitize complex object', function () {
it('should sanitize dirty body.', function (done) {
expect(
sanitize(
{
a: '<script>Test</script>',
b: '<p onclick="return;">Test</p>',
c: '<img src="/"/>',
arr: [
"<h1 onclick='return false;'>H1 Test</h1>",
'bla bla',
{
i: ["<h3 onclick='function x(e) {console.log(e); return;}'>H3 Test</h3>", 'bla bla', false, 5],
j: '<a href="/" onclick="return 0;">Link</a>',
describe('Sanitize complex object', function () {
it('should sanitize dirty body.', function (done) {
expect(
sanitize(
{
a: '<script>Test</script>',
b: '<p onclick="return;">Test</p>',
c: '<img src="/"/>',
arr: [
"<h1 onclick='return false;'>H1 Test</h1>",
'bla bla',
{
i: ["<h3 onclick='function x(e) {console.log(e); return;}'>H3 Test</h3>", 'bla bla', false, 5],
j: '<a href="/" onclick="return 0;">Link</a>',
},
],
obj: {
e: '<script>while (true){alert("Test To OO")}</script>',
r: {
a: '<h6>H6 Test</h6>',
},
},
],
obj: {
e: '<script>while (true){alert("Test To OO")}</script>',
r: {
a: '<h6>H6 Test</h6>',
},
},
{ allowedKeys: ['e'] },
),
).to.eql({
a: '',
b: '<p>Test</p>',
c: '',
arr: [
'<h1>H1 Test</h1>',
'bla bla',
{
i: ['<h3>H3 Test</h3>', 'bla bla', false, 5],
j: '<a href="/">Link</a>',
},
],
obj: {
e: '<script>while (true){alert("Test To OO")}</script>',
r: {
a: '<h6>H6 Test</h6>',
},
},
{ allowedKeys: ['e'] },
),
).to.eql({
a: '',
b: '<p>Test</p>',
c: '',
arr: [
'<h1>H1 Test</h1>',
'bla bla',
{
i: ['<h3>H3 Test</h3>', 'bla bla', false, 5],
j: '<a href="/">Link</a>',
},
],
obj: {
e: '<script>while (true){alert("Test To OO")}</script>',
r: {
a: '<h6>H6 Test</h6>',
},
},
});
done();
});
done();
});
});
});
describe('Sanitize data with custom options as function', function () {
describe('Sanitize simple object', function () {
it('should sanitize dirty body.', function (done) {
expect(
sanitize(
{
a: '<script>Test</script>',
b: '<p onclick="return;">Test</p>',
c: '<img src="/"/>',
},
{ allowedKeys: ['c'] },
),
).to.eql({
a: '',
b: '<p>Test</p>',
c: '<img src="/"/>',
describe('Sanitize data with custom options as function', function () {
describe('Sanitize simple object', function () {
it('should sanitize dirty body.', function (done) {
expect(
sanitize(
{
a: '<script>Test</script>',
b: '<p onclick="return;">Test</p>',
c: '<img src="/"/>',
},
{ allowedKeys: ['c'] },
),
).to.eql({
a: '',
b: '<p>Test</p>',
c: '<img src="/"/>',
});
done();
});
done();
});
});
describe('XSS bypass by using prototype pollution issue', function () {
it('should sanitize dirty data after prototype pollution.', function (done) {
// eslint-disable-next-line no-extend-native
Object.prototype.allowedTags = ['script'];
expect(
sanitize(
{
a: '<script>Test</script>',
},
{},
),
).to.eql({
a: '',
describe('XSS bypass by using prototype pollution issue', function () {
it('should sanitize dirty data after prototype pollution.', function (done) {
// eslint-disable-next-line no-extend-native
Object.prototype.allowedTags = ['script'];
expect(
sanitize(
{
a: '<script>Test</script>',
},
{},
),
).to.eql({
a: '',
});
done();
});
done();
});

@@ -1272,0 +1316,0 @@ });

.trunk/configs/.markdownlint.yaml
.trunk/trunk.yaml
SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

About

Packages

npm

Go

Maven

PyPI

Rubygems

Stay in touch

Get open source security insights delivered straight into your inbox.

  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc