express-safe-json

Prevent HTML tags from rendering in JSON responses.

Usage no npm install needed!

<script type="module">
  import expressSafeJson from 'https://cdn.skypack.dev/express-safe-json';
</script>

README

express-safe-json

Prevent HTML tags from rendering in JSON responses.

Why?

Even when the response is sent with Content-Type: application/json, some browsers attempts to do MIME-type sniffing - meaning that even if the response is specified as application/json, the browser might still render it as HTML if it appears like valid HTML - leading to an XSS vulnerability.

Adding the X-Content-Type-Options: nosniff header disables this behaviour and can help mitigate this - but its not supported by all browsers.

This library modifies express's res.send() method to replace the < character in JSON reponses with \u003c. The modified JSON should still be parsed the same on all JSON parsers, but will prevent browsers from thinking that it might be an HTML response.

Install

npm install express-safe-json

Use

var express = require('express')
require('express-safe-json')(express)

// or, to have express-safe-json require() express on its own, simply:
require('express-safe-json')()

// Then, you can just use res.send(<object>) and res.json(<object>)
// as you normally do.

License

MIT