es
express-sanitized
npm i express-sanitized
es

express-sanitized

An express.js middleware for sanitizing all query and body parameters automatically

by Patrick Hogan

0.5.1 (see all)License:MITTypeScript:Not FoundCategories:Express XSS, Express XSS Sanitizer
npm i express-sanitized
Readme

express-sanitized

npm version Build Status dependencies devDependencies peerDependencies Known Vulnerabilities

Installation

npm install express-sanitized

Usage

Place this directly after express.bodyParser() and before any express middleware that accesses query or body parameters, e.g.:

var express = require('express'),
    expressSanitized = require('express-sanitized');

app.use(express.bodyParser());
app.use(expressSanitized()); // this line follows express.bodyParser()

Output

The string

'<script>document.write('cookie monster')</script> download now'

will be sanitized to ' download now'.

Limitations

This is a basic implementation of Caja-HTML-Sanitizer with the specific purpose of mitigating against persistent XSS risks.

Caveats

This module trusts the dependencies to provide basic persistent XSS risk mitigation. A user of this package should review all packages and make their own decision on security and fitness for purpose.

This module was inspired by express-sanitizer. The difference here is strict laziness. This middleware automatically sanitizes post and query values whereas that module requires you to manually sanitize each parameter.

Changelog

v1.0.0

  • Updated packages

v0.6.0

  • Update packages

v0.5.1

  • Initial release

Contributors

License

Copyright (c) 2014 Patrick Hogan patrick@callinize.com, MIT License