npm install @aftership/express-sanitized
Place this directly after express.bodyParser() and before any express middleware that accesses query or body parameters, e.g.:
var express = require('express'), expressSanitized = require('express-sanitized'); app.use(express.bodyParser()); app.use(expressSanitized()); // this line follows express.bodyParser()
'<script>document.write('cookie monster')</script> download now'
will be sanitized to ' download now'.
This is a basic implementation of Caja-HTML-Sanitizer with the specific purpose of mitigating against persistent XSS risks.
This module trusts the dependencies to provide basic persistent XSS risk mitigation. A user of this package should review all packages and make their own decision on security and fitness for purpose.
This module was inspired by express-sanitizer. The difference here is strict laziness. This middleware automatically sanitizes post and query values whereas that module requires you to manually sanitize each parameter.
- Initial release
- Patrick Hogan email@example.com - Wrap the sanitizer in an npm package
- Mark Andrews firstname.lastname@example.org* - Wrote the initial express-sanitizer. I forked his library.
Copyright (c) 2014 Patrick Hogan email@example.com, MIT License