Sanitize-middleware NPM

sanitize-middleware

Connect/Express middleware that sanitizes and escapes the query, params and body of requests to protect against cross-site scripting (XSS) and command injection attacks

Installation

Install using npm:

npm install sanitize-middleware

Or yarn:

yarn add sanitize-middleware

sanitize-middleware's test scripts use npm commands.

API

const sanitizeMiddleware = require("sanitize-middleware");

Options

The sanitizeMiddleware function takes an optional config object that may contain any of the following properties, mapped to the req object property of the same name:

body
params
query

Each of the above properties must be objects, with further properties as objects inside named after the properties you want to parse and sanitize from that respective request element.

const exampleConfig = {
	body: {
		bodyProperty1: {},
		bodyProperty2: {},
	},
	query: {
		queryProperty1: {},
	},
	params: {
		paramsProperty1: {},
	},
};

Each of the object properties within body, query, and/or params have properties themselves:

Property	Type	Description
mandatory (optional)	`Boolean`	Whether the property is mandatory
maxLength (optional)	`Number`	The maximum accepted length of a property
type (required)	`String`	The expected type of the received property

Examples

If no options are provided to the middleware, the middleware will accept every property found in the body, query, and params object properties of a req and then attempt to derive the type before sanitizing.

const sanitizeMiddleware = require("sanitize-middleware");
const express = require("express");
const app = express();

app.use(sanitizeMiddleware());

With options provided, if a received property that is mandatory is missing, is the wrong type, or is longer than the max length, an error will be passed to next() to be handled by your error handler middleware.

const sanitizeMiddleware = require("sanitize-middleware");
const express = require("express");
const app = express();

// localhost:8204/test?id=hello&status=current would throw an error as type of the id query key is wrong
// localhost:8204/test?id=1 would throw an error as the mandatory status query key is missing
// localhost:8204/test?subject=bananas would throw an error as the length is greater than the maxLength allowed
const options = {
	query: {
		status: { type: "string", mandatory: true },
		type: { type: "string", mandatory: false },
		id: { type: "number", mandatory: false },
		specialty: { type: "string", mandatory: false },
		subject: { type: "string", mandatory: false, maxLength: 5 },
	},
};

app.use(sanitizeMiddleware(options));

The mandatory property is optional, if not present it is assumed a received property matching its parent key name is not mandatory.

const sanitizeMiddleware = require("sanitize-middleware");
const express = require("express");
const app = express();

const options = {
	query: {
		specialty: { type: "string", mandatory: false },
		subject: { type: "string", mandatory: false },
	},
	params: {
		id: { type: "string" },
	},
};

app.use(sanitizeMiddleware(options));