Scrubr
Because we can never trust data a client sends to us.
Scrubr contains a set of utilities to parse a payload against a definition. It can be used on it's own or it can be used as middleware for Connect.
When used as Middleware for Connect or Express, Scrubr can be run against all data in req.body. Define data once and then write logic in templates which display form data. See Middleware Example below.
Install
$ npm install scrubr
Example
scrubr = definition = username: is: 'username' required: true scrub:'sql' password: is: 'password' required: true state: isIn: 'NJ' 'CA' comment: isString: true scrub: 'html''sql' age : inBounds: upper: 10 lower: 5 body = username : 'james' password : 'HHHHjjjj1111' state : 'NJ' comment : 'a' age : 6 scrubr; scrubr;//// PASSSSSSS bodyage=22;scrubr;//// FAIL// age is not within the bounds of 10(upper) and 5
Middleware
Assumptions
- Forms use the same path. GET is used to display the form and POST is used to parse the form.
Example
var scrubr = ; scrubr; //////// NOTE THAT REQUIRED CAN BE AN ARRAY OF PATHS WHERE THIS FIELD IS REQUIRED app; app;app;
In routes/index.js
exports { if reqscrubr && reqscrubrfailures fail=reqscrubrfailures; body=reqbody; else fail=false; reqbody=false; res;}; exports { res;};
Later on....in form.jade
h1= title
p Welcome to #{title}
-if (failures)
#failures
h2 Failures
ul
-failures.forEach(function (failure) {
li.failure=failure
-})
form(method='post', action='/form')
#username
span Username
-if (body.username)
input(type='text', name='username')=body.username
-else
input(type='text', name='username')
#attackstring
span Attack String
-if (payload.attack)
input(type='text', name='attack', value='#{payload.attack}')
-else
input(type='text,', name='attack')
#btn
input(type='submit')