How I can sanitize my input values in node js?

javascript node.js sanitization
V.Aleksanyan picture V.Aleksanyan · Oct 12, 2017 · Viewed 40.9k times · Source

I validated my Node.js inputs so that they won't be empty, but I want to sanitize them too. Please help me how I can do this.

req.checkBody('name', 'Name is required!').notEmpty();
req.checkBody('surname', 'Surname is required!').notEmpty();
req.checkBody('username', 'Username is required!').notEmpty();
req.checkBody('password', 'Password is required!').notEmpty();
req.checkBody('password2', 'Passwords do not match!').equals(req.body.password);

var errors = req.validationErrors();

if (errors) {
    res.render('user/register', {
        errors: errors,
        user: null,
        title: 'Register'
    });
}
else {
    var userData = {
        name : req.body.name,
        surname : req.body.surname,
        username : req.body.username,
        password : req.body.password,
        avatar : 'No_person.jpg'
    };
    userController.addUser(req,res,userData);
}

Answer

kgangadhar picture kgangadhar · Oct 12, 2017

  • For most of the framework, you can use sanitize node module:

     npm install sanitize --save

    And then can use like:

     var sanitizer = require('sanitize')();

 var name = sanitizer.value(req.name, 'string');
 var surname= sanitizer.value(req.surname, 'string');

    For more can go through sanitize documentation

  • If you are using express, then you can validate and sanitize using express-validator and express-sanitize-input packages as follows:

     const express = require('express');
 const { check } = require('express-validator');
 const app = express();

 app.use(express.json())

 app.post('/form', [
   check('name').isLength({ min: 3 }).trim().escape(),
   check('email').isEmail().normalizeEmail(),
   check('age').isNumeric().trim().escape()
 ], (req, res) => {
   const name  = req.body.name
   const email = req.body.email
   const age   = req.body.age
 })

    For more can go through express-validator and express-sanitize-input documentation.

  • If you are using Hapi, then you can validate and sanitize using Joi, With the Joi, you can sanitize variable with additional options

     validate(value, schema, {escapeHtml: true}, [callback])

    For more can go through Joi documentation.

  • If you don't want to use any third party module and want to sanitize using the built-in node. you can try following:

     // For string variables
 str = typeof(str) === 'string' && str.trim().length > 0 ? str.trim() : '';
 // for boolean values
 bool = typeof(bool) === 'boolean' && bool === true ? true : false;
 // for array values
 arr = typeof(arr) === 'object' && arr instanceof Array ? arr : [];
 // for number values
 num = typeof(num) === 'number' && num % 1 === 0 ? num : 0;
 // for objects
 obj = typeof(obj) === 'object' && !(obj instanceof Array) && obj !== null ? obj : {};

Related questions

Is sanitizing JSON necessary?

I think it's a well-known best practice on the web to mistrust any input. The sentence "All input is evil." is probably the most cited quote with respect to input validation. Now, for HTML you can use tools such as …

Read More
Javascript XSS Prevention

There is a Node.js project that sanitizes data and there is an OWASP library for JavaScript that handles sanitization to prevent XSS. I have been benchmarking these libraries, and they are pretty intensive and maybe an overkill, my application …

Read More
How do I completely uninstall Node.js, and reinstall from beginning (Mac OS X)

My version of node is always v0.6.1-pre even after I install brew node and NVM install v0.6.19. My node version is: node -v v0.6.1-pre NVM says this (after I install a version of node for the first time …

Read More