xss-advanced v1.0.2

xss-advanced

Node.js Connect middleware to sanitize user input coming from POST body, GET queries, and url params. Works with Express.

About middleware:

• Built on top of xss library
• Upgraded version of xss-clean middleware (you can add additional filtering options)

Content:

• Install
• How to use
• Available options
• Examples

Install

npm install xss-advanced@latest

How to use

Important note: You must use express.json() or body-parser middleware (in order to parse req.body) before adding xss-clean-advanced middleware

const xssAdvanced = require('xss-advanced')

const app = express();

<!-- First you add body parser middleware -->
app.use(express.json());

<!-- Then you add the middleware itself -->
app.use(xssAdvanced());

Available options

Since this middleware is built on top of xss, as a argument it acceps any options available by the xss library.

<!-- Example with using custom option, instead of default-->
const options = var options = {
  whiteList: {
    a: ["href", "title", "target"]
  }
};

app.use(xssAdvanced(options));

If the example above returned \da\ ---> \da\, this will return the full value:

• \da\ ---> \da\

THE DATA WILL BE FILTERED/XSS SANITIZED DEPENDING ON WHAT YOU PASS AS OPTIONS

REMINDER:

By default all \ tags are REMOVED, css styles are INCLUDED (of course you can exclude it with additional options), additional parametars like href, target, title that point to external links are also REMOVED

Additional examples

This examples are shown with the provided default options

• Example: GET http://localhost:5005?test=\baze\test
  Initial value: In req.query you get {test: "\baze\test"}
  Result: xss-advanced middleware sanitizes it to {test: "d"}
• Example: POST http://localhost:5005 with application/json body {"test": "\baze\d"
  Initial value: In req.body you get {test: "\baze\test"}
  Result: xss-advanced middleware sanitizes it to {test: "d"}