express-caja-sanitizer

    1.0.1 • Public • Published

    express-caja-sanitizer

    An express middleware inspired from express-sanitizer but additionally sanitizes URL params. It also gives an option to provide a preprocessor function to decide whether a (key, value) pair should be sanitized or not.

    Build Status

    Installation

    npm install express-caja-sanitizer
    

    Usage

    Needs to be called after express.bodyParser() and before anything that requires the sanitized input, e.g.:

    var express = require('express');
    var bodyParser = require('body-parser');
    var cajaSanitizer = require('express-caja-sanitizer');
    
    var app = express();
    
    app.use(bodyParser());
    app.use(cajaSanitizer());
    
    

    URL Params

    This module by default sanitizes the request URL params (req.params), apart from request body and query string params, e.g.:

    http://www.myapp.com/rest/user/<script>console.log("hello")</script>bob/details
    

    will be sanitized as

    http://www.myapp.com/rest/user/bob/details
    

    Options

    shouldSanitize

    When shouldSanitize function is provided as an option, the module will sanitize only the (key, value) pairs for which the function returns true.

    For example, if we don't want to sanitize XML values then the preprocesser function can be

    var shouldSanitize = function(key, value) {
      return !value.startsWith('<?xml version="1.0"')
    }
    

    Limitations

    This is a basic implementation of Caja-HTML-Sanitizer with the specific purpose of mitigating against persistent XSS risks.

    Caveats

    This module trusts the dependencies to provide basic persistent XSS risk mitigation. A user of this package should review all packages and make their own decision on security and fitness for purpose.

    Install

    npm i express-caja-sanitizer

    DownloadsWeekly Downloads

    54

    Version

    1.0.1

    License

    MIT

    Last publish

    Collaborators

    • pvsrivathsa