4.0.4 • Published 4 years ago

sanitize-middleware v4.0.4

Weekly downloads
58
License
MIT
Repository
github
Last release
4 years ago

sanitize-middleware

GitHub Release npm version Build Status Coverage Status Known Vulnerabilities code style: prettier

Connect/Express middleware that sanitizes and escapes the query, params and body of requests to protect against cross-site scripting (XSS) and command injection attacks

Installation

Install using npm:

npm install sanitize-middleware

Or yarn:

yarn add sanitize-middleware

sanitize-middleware's test scripts use npm commands.

API

const sanitizeMiddleware = require("sanitize-middleware");

Options

The sanitizeMiddleware function takes an optional config object that may contain any of the following properties, mapped to the req object property of the same name:

  • body
  • params
  • query

Each of the above properties must be objects, with further properties as objects inside named after the properties you want to parse and sanitize from that respective request element.

const exampleConfig = {
	body: {
		bodyProperty1: {},
		bodyProperty2: {},
	},
	query: {
		queryProperty1: {},
	},
	params: {
		paramsProperty1: {},
	},
};

Each of the object properties within body, query, and/or params have properties themselves:

PropertyTypeDescription
mandatory (optional)BooleanWhether the property is mandatory
maxLength (optional)NumberThe maximum accepted length of a property
type (required)StringThe expected type of the received property

Examples

If no options are provided to the middleware, the middleware will accept every property found in the body, query, and params object properties of a req and then attempt to derive the type before sanitizing.

const sanitizeMiddleware = require("sanitize-middleware");
const express = require("express");
const app = express();

app.use(sanitizeMiddleware());

With options provided, if a received property that is mandatory is missing, is the wrong type, or is longer than the max length, an error will be passed to next() to be handled by your error handler middleware.

const sanitizeMiddleware = require("sanitize-middleware");
const express = require("express");
const app = express();

// localhost:8204/test?id=hello&status=current would throw an error as type of the id query key is wrong
// localhost:8204/test?id=1 would throw an error as the mandatory status query key is missing
// localhost:8204/test?subject=bananas would throw an error as the length is greater than the maxLength allowed
const options = {
	query: {
		status: { type: "string", mandatory: true },
		type: { type: "string", mandatory: false },
		id: { type: "number", mandatory: false },
		specialty: { type: "string", mandatory: false },
		subject: { type: "string", mandatory: false, maxLength: 5 },
	},
};

app.use(sanitizeMiddleware(options));

The mandatory property is optional, if not present it is assumed a received property matching its parent key name is not mandatory.

const sanitizeMiddleware = require("sanitize-middleware");
const express = require("express");
const app = express();

const options = {
	query: {
		specialty: { type: "string", mandatory: false },
		subject: { type: "string", mandatory: false },
	},
	params: {
		id: { type: "string" },
	},
};

app.use(sanitizeMiddleware(options));

Contributing

Please see CONTRIBUTING.md for more details regarding contributing to this project.

License

sanitize-middleware is licensed under the MIT license.

4.0.4

4 years ago

4.0.3

4 years ago

4.0.2

4 years ago

4.0.1

4 years ago

4.0.0

4 years ago

3.1.0

4 years ago

3.0.0

4 years ago

2.0.20

4 years ago

2.0.19

4 years ago

2.0.18

4 years ago

2.0.17

4 years ago

2.0.16

4 years ago

2.0.15

4 years ago

2.0.14

4 years ago

2.0.13

4 years ago

2.0.12

4 years ago

2.0.11

5 years ago

2.0.10

5 years ago

2.0.9

5 years ago

2.0.8

5 years ago

2.0.7

5 years ago

2.0.6

5 years ago

2.0.5

5 years ago

2.0.4

5 years ago

2.0.3

5 years ago

2.0.2

5 years ago

2.0.1

5 years ago

2.0.0

5 years ago

1.0.1

5 years ago

1.0.0

5 years ago