disinfect





Hapi plugin to apply Google's Caja HTML Sanitizer on route query, payload, and params.

Capable for custom sanitization and per-route configuration.

Can also be used for input formatting using the custom sanitizer option.

Can be disabled per route.

Usage

const registerPlugins = async (server) => Promise .all([ server.register({ plugin : require ( 'disinfect' ), options : { disinfectQuery : true , disinfectParams : true , disinfectPayload : true } }) ]); registerPlugins(server) .then( () => { }) .catch( ( err ) => { })

Glue manifest

register: { plugins : [ { plugin : require ( 'disinfect' ), options : { disinfectQuery : true , disinfectParams : true , disinfectPayload : true } } ] }

Options

deleteEmpty - remove empty query or payload keys.

- remove empty query or payload keys. deleteWhitespace - remove whitespace query, payload, or params keys.

- remove whitespace query, payload, or params keys. disinfectQuery - sanitize query strings.

- sanitize query strings. disinfectParams - sanitize url params.

- sanitize url params. disinfectPayload - sanitize payload.

- sanitize payload. genericSanitizer - custom synchronous function to do the sanitization of query, payload, and params.

- custom synchronous function to do the sanitization of query, payload, and params. querySanitizer - custom synchronous function to do the sanitization of query strings.

- custom synchronous function to do the sanitization of query strings. paramsSanitizer - custom synchronous function to do the sanitization of url params.

- custom synchronous function to do the sanitization of url params. payloadSanitizer - custom synchronous function to do the sanitization of payload.

deleteEmpty and deleteWhitespace defaults to false .

disinfectQuery , disinfectParams , and disinfectPayload defaults to false . If set to true, object will be passed to caja first before custom sanitizers.

dirtyObject -> `Caja ` sanitizer -> `genericSanitizer` -> `query-`, `params-`, or `payload-` sanitizer -> deleteWhitespace -> deleteEmpty -> cleanObject.

genericSanitizer , querySanitizer , paramsSanitizer , and payloadSanitizer should be in the following format:

const customSanitizer = ( dirtyObj ) => { return cleanObj; }

All options can be passed on a per-route basis. Route options overrides server options.

{ path : '/' , method : 'get' , handler : ( request, reply ) => { ... }, options : { plugins : { disinfect : { disinfectQuery : true , disinfectParams : false , disinfectPayload : true } } } }

Disable on a route.

{ path : '/' , method : 'get' , handler : ( request, reply ) => { ... }, options : { plugins : { disinfect : false } } }

Contributing

Include 100% test coverage

Follow the Hapi coding conventions

Submit an issue first for significant changes.

Credits