express-caja-sanitizer

An express middleware inspired from express-sanitizer but additionally sanitizes URL params. It also gives an option to provide a preprocessor function to decide whether a (key, value) pair should be sanitized or not.

Installation

npm install express-caja-sanitizer

Usage

Needs to be called after express.bodyParser() and before anything that requires the sanitized input, e.g.:

var express = require('express');
var bodyParser = require('body-parser');
var cajaSanitizer = require('express-caja-sanitizer');

var app = express();

app.use(bodyParser());
app.use(cajaSanitizer());

URL Params

This module by default sanitizes the request URL params (req.params), apart from request body and query string params, e.g.:

http://www.myapp.com/rest/user/<script>console.log("hello")</script>bob/details

will be sanitized as

http://www.myapp.com/rest/user/bob/details

Options

shouldSanitize

When shouldSanitize function is provided as an option, the module will sanitize only the (key, value) pairs for which the function returns true.

For example, if we don't want to sanitize XML values then the preprocesser function can be

var shouldSanitize = function(key, value) {
  return !value.startsWith('<?xml version="1.0"')
}

Limitations

This is a basic implementation of Caja-HTML-Sanitizer with the specific purpose of mitigating against persistent XSS risks.

Caveats

This module trusts the dependencies to provide basic persistent XSS risk mitigation. A user of this package should review all packages and make their own decision on security and fitness for purpose.