Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket

xss-advanced

Package Overview
Dependencies
Maintainers
1
Versions
3
Alerts
File Explorer

Advanced tools

Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

xss-advanced

Node.js Connect middleware to sanitize user input coming from POST body, GET queries, and url params. Works with Express

  • 1.0.2
  • latest
  • Source
  • npm
  • Socket score

Version published
Maintainers
1
Created
Source

xss-advanced

Node.js Connect middleware to sanitize user input coming from POST body, GET queries, and url params. Works with Express.

About middleware:

  • Built on top of xss library
  • Upgraded version of xss-clean middleware (you can add additional filtering options)

Content:

Install

npm install xss-advanced@latest

How to use

Important note: You must use express.json() or body-parser middleware (in order to parse req.body) before adding xss-clean-advanced middleware

const xssAdvanced = require('xss-advanced')

const app = express();

<!-- First you add body parser middleware -->
app.use(express.json());

<!-- Then you add the middleware itself -->
app.use(xssAdvanced());

Available options

Since this middleware is built on top of xss, as a argument it acceps any options available by the xss library.

ArgumentDefault valueAvailable value
xssOptions{ css: false, stripIgnoreTagBody: ['script'] }CHECK ALL AVAILABLE OPTIONS HERE
ExplanationFor default options: anywhere in the body, params or query, if there's <script> tag it will be REMOVED, however if element has css style property it will be PERSISTED
Examples<script>test</script>test2 ---> test2;
<a href="test">da</a> ---> <a href>da</a>

<!-- Example with using custom option, instead of default-->
const options = var options = {
  whiteList: {
    a: ["href", "title", "target"]
  }
};

app.use(xssAdvanced(options));

If the example above returned <a href="test">da</a> ---> <a href>da</a>, this will return the full value:

  • <a href="test">da</a> ---> <a href="test">da</a>

THE DATA WILL BE FILTERED/XSS SANITIZED DEPENDING ON WHAT YOU PASS AS OPTIONS

REMINDER:

By default all <script> tags are REMOVED, css styles are INCLUDED (of course you can exclude it with additional options), additional parametars like href, target, title that point to external links are also REMOVED

Additional examples

This examples are shown with the provided default options

  • Example: GET http://localhost:5005?test=\
  • Example: POST http://localhost:5005 with application/json body {"test": "<script>baze</script>d"
    Initial value: In req.body you get {test: "<script>baze</script>test"}
    Result: xss-advanced middleware sanitizes it to {test: "d"}

Keywords

FAQs

Package last updated on 28 Nov 2020

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc