Socket
Socket
Sign inDemoInstall

xss-advanced

Package Overview
Dependencies
66
Maintainers
1
Versions
3
Alerts
File Explorer

Advanced tools

npm Scripts

Install Socket

Detect and block malicious and high-risk dependencies

Install

xss-advanced

Node.js Connect middleware to sanitize user input coming from POST body, GET queries, and url params. Works with Express

Version published
Maintainers
1
Weekly downloads
56
decreased by-64.56%

Weekly downloads

Readme

Source

xss-advanced

Node.js Connect middleware to sanitize user input coming from POST body, GET queries, and url params. Works with Express.

About middleware:

  • Built on top of xss library
  • Upgraded version of xss-clean middleware (you can add additional filtering options)

Content:

Install

npm install xss-advanced@latest

How to use

Important note: You must use express.json() or body-parser middleware (in order to parse req.body) before adding xss-clean-advanced middleware

const xssAdvanced = require('xss-advanced')

const app = express();

<!-- First you add body parser middleware -->
app.use(express.json());

<!-- Then you add the middleware itself -->
app.use(xssAdvanced());

Available options

Since this middleware is built on top of xss, as a argument it acceps any options available by the xss library.

ArgumentDefault valueAvailable value
xssOptions{ css: false, stripIgnoreTagBody: ['script'] }CHECK ALL AVAILABLE OPTIONS HERE
ExplanationFor default options: anywhere in the body, params or query, if there's <script> tag it will be REMOVED, however if element has css style property it will be PERSISTED
Examples<script>test</script>test2 ---> test2;
<a href="test">da</a> ---> <a href>da</a>

<!-- Example with using custom option, instead of default-->
const options = var options = {
  whiteList: {
    a: ["href", "title", "target"]
  }
};

app.use(xssAdvanced(options));

If the example above returned <a href="test">da</a> ---> <a href>da</a>, this will return the full value:

  • <a href="test">da</a> ---> <a href="test">da</a>

THE DATA WILL BE FILTERED/XSS SANITIZED DEPENDING ON WHAT YOU PASS AS OPTIONS

REMINDER:

By default all <script> tags are REMOVED, css styles are INCLUDED (of course you can exclude it with additional options), additional parametars like href, target, title that point to external links are also REMOVED

Additional examples

This examples are shown with the provided default options

  • Example: GET http://localhost:5005?test=\
  • Example: POST http://localhost:5005 with application/json body {"test": "<script>baze</script>d"
    Initial value: In req.body you get {test: "<script>baze</script>test"}
    Result: xss-advanced middleware sanitizes it to {test: "d"}

Keywords

FAQs

Last updated on 28 Nov 2020

Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

npm Package for ReExt React Components Library Exfiltrates Git Credentials

Research

Security News

npm Package for ReExt React Components Library Exfiltrates Git Credentials

The Socket Research team found this npm package includes code for collecting sensitive developer information, including your operating system username, Git username, and Git email.

By Sarah Gooding, Socket Research Team  -  Apr 18, 2024
Connect with Socket at RSA and BSidesSF 2024

Company News

Connect with Socket at RSA and BSidesSF 2024

Come meet the Socket team at BSidesSF and RSA! We're sponsoring several fun networking events and we would love to see you there.

By Sarah Gooding  -  Apr 15, 2024
SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap

About

Packages

Stay in touch

Get open source security insights delivered straight into your inbox.

  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc