An express middleware for Caja-HTML-Sanitizer, which wraps Google Caja sanitizer.
A useful complement to the express-validator -- to fill a gap now that XSS sanitization support has been removed from that module's parent node-validator.
npm install express-sanitizer
Needs to be called after express.bodyParser() and before anything that requires the sanitized input, e.g.:
var express = require('express'),
expressSanitizer = require('express-sanitizer');
app.use(express.bodyParser());
app.use(expressSanitizer([options])); // this line follows express.bodyParser()app.post('/:urlparam', function(req, res) {
//validation here
// replace an HTTP posted body property with the sanitized string
req.body.propertyToSanitize = req.sanitize(req.param('propertyToSanitize'));
});The string
'<script>hello</script> world'will be sanitized to ' world'.
This is a basic implementation of Caja-HTML-Sanitizer with the specific purpose of mitigating against persistent XSS risks.
This module trusts the dependencies to provide basic persistent XSS risk mitigation. A user of this package should review all packages and make their own decision on security and fitness for purpose.
- Initial release
- Mark Andrews [email protected] - Wrap the sanitizer in an npm package
Copyright (c) 2014 Mark Andrews [email protected], MIT License