🚀 Big News: Socket Acquires Coana to Bring Reachability Analysis to Every Appsec Team.Learn more
Socket
Book a DemoInstallSign in
Socket
Book a DemoInstallSign in

xss-advanced

Package Overview
Dependencies
Maintainers
1
Versions
3
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

xss-advanced

Node.js Connect middleware to sanitize user input coming from POST body, GET queries, and url params. Works with Express

1.0.2
latest
Source
npm
Version published
Weekly downloads
0
Maintainers
1
Weekly downloads
 
Created
Source

xss-advanced

Node.js Connect middleware to sanitize user input coming from POST body, GET queries, and url params. Works with Express.

About middleware:

  • Built on top of xss library
  • Upgraded version of xss-clean middleware (you can add additional filtering options)

Content:

Install

npm install xss-advanced@latest

How to use

Important note: You must use express.json() or body-parser middleware (in order to parse req.body) before adding xss-clean-advanced middleware

const xssAdvanced = require('xss-advanced')

const app = express();

<!-- First you add body parser middleware -->
app.use(express.json());

<!-- Then you add the middleware itself -->
app.use(xssAdvanced());

Available options

Since this middleware is built on top of xss, as a argument it acceps any options available by the xss library.

ArgumentDefault valueAvailable value
xssOptions{ css: false, stripIgnoreTagBody: ['script'] }CHECK ALL AVAILABLE OPTIONS HERE
ExplanationFor default options: anywhere in the body, params or query, if there's <script> tag it will be REMOVED, however if element has css style property it will be PERSISTED
Examples<script>test</script>test2 ---> test2;
<a href="test">da</a> ---> <a href>da</a>

<!-- Example with using custom option, instead of default-->
const options = var options = {
  whiteList: {
    a: ["href", "title", "target"]
  }
};

app.use(xssAdvanced(options));

If the example above returned <a href="test">da</a> ---> <a href>da</a>, this will return the full value:

  • <a href="test">da</a> ---> <a href="test">da</a>

THE DATA WILL BE FILTERED/XSS SANITIZED DEPENDING ON WHAT YOU PASS AS OPTIONS

REMINDER:

By default all <script> tags are REMOVED, css styles are INCLUDED (of course you can exclude it with additional options), additional parametars like href, target, title that point to external links are also REMOVED

Additional examples

This examples are shown with the provided default options

  • Example: GET http://localhost:5005?test=\
  • Example: POST http://localhost:5005 with application/json body {"test": "<script>baze</script>d"
    Initial value: In req.body you get {test: "<script>baze</script>test"}
    Result: xss-advanced middleware sanitizes it to {test: "d"}

Keywords

expressjs
backend
middleware
xss
sanitizer
clean data

FAQs

Package last updated on 28 Nov 2020

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

Potemkin Understanding in LLMs: New Study Reveals Flaws in AI Benchmarks

Security News

Potemkin Understanding in LLMs: New Study Reveals Flaws in AI Benchmarks

New research reveals that LLMs often fake understanding, passing benchmarks but failing to apply concepts or stay internally consistent.

By Sarah Gooding  -  Jul 01, 2025