disinfect

Hapi plugin to apply Google's Caja HTML Sanitizer on route query, payload, and params.

• Capable for custom sanitization and per-route configuration.
• Can also be used for input formatting using the custom sanitizer option.
• Can be disabled per route.

Usage

const registerPlugins = async (server) => Promise.all([
    server.register({
        plugin: require('disinfect'),
        options: {
            disinfectQuery: true,
            disinfectParams: true,
            disinfectPayload: true
        }
    })
]);
 
registerPlugins(server)
    .then(() => {
        // ...
    })
    .catch((err) => {
        // ...
    })
 

Glue manifest

register: {
    plugins: [
        {
            plugin: require('disinfect'),
            options: {
                disinfectQuery: true,
                disinfectParams: true,
                disinfectPayload: true
            }
        }
    ]
}

Options

• deleteEmpty - remove empty query or payload keys.
• deleteWhitespace - remove whitespace query, payload, or params keys.
• disinfectQuery - sanitize query strings.
• disinfectParams - sanitize url params.
• disinfectPayload - sanitize payload.
• genericSanitizer - custom synchronous function to do the sanitization of query, payload, and params.
• querySanitizer - custom synchronous function to do the sanitization of query strings.
• paramsSanitizer - custom synchronous function to do the sanitization of url params.
• payloadSanitizer - custom synchronous function to do the sanitization of payload.

deleteEmpty and deleteWhitespace defaults to false.

disinfectQuery, disinfectParams, and disinfectPayload defaults to false. If set to true, object will be passed to caja first before custom sanitizers.

dirtyObject ->`Caja` sanitizer -> `genericSanitizer` -> `query-`, `params-`, or `payload-` sanitizer -> deleteWhitespace -> deleteEmpty -> cleanObject.

genericSanitizer, querySanitizer, paramsSanitizer, and payloadSanitizer should be in the following format:

const customSanitizer = (dirtyObj) => {
    // ...
    return cleanObj;
}

All options can be passed on a per-route basis. Route options overrides server options.

// example
{
    path: '/',
    method: 'get',
    handler: (request, reply) => {
        ...
    },
    options: {
        plugins: {
            disinfect: {
                disinfectQuery: true,
                disinfectParams: false,
                disinfectPayload: true
            }
        }
    }
}

Disable on a route.

{
    path: '/',
    method: 'get',
    handler: (request, reply) => {
        ...
    },
    options: {
        plugins: {
            disinfect: false
        }
    }
}

Contributing

• Include 100% test coverage
• Follow the Hapi coding conventions
• Submit an issue first for significant changes.

Credits

• hapi-sanitize-payload - Hapi plugin to sanitize the request payload
• Caja-HTML-Sanitizer - Bundles Google Caja's HTML Sanitizer within a npm installable node.js module