UNPKG

@dwp/govuk-casa

Version:

A framework for building GOVUK Collect-And-Submit-Applications

github.com/dwp/govuk-casa

dwp/govuk-casa

81 lines (73 loc) 2.52 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
// Sanitise the fields submitted from a form // - Coerce each field to its correct type // - Remove an extraneous fields that are not know to the application import fieldFactory from "../lib/field.js"; import JourneyContext from "../lib/JourneyContext.js"; export default ({ waypoint, fields = [] }) => { // Add some common, transient fields to ensure they survive beyond this sanitisation process fields.push( fieldFactory("_csrf", { persist: false }).processor((value) => String(value), ), ); fields.push( fieldFactory("contextid", { persist: false }).processor((value) => String(value), ), ); fields.push( fieldFactory("edit", { persist: false }).processor((value) => String(value), ), ); fields.push( fieldFactory("editorigin", { persist: false }).processor((value) => String(value), ), ); // Middleware return [ (req, res, next) => { // First, prune all undefined, or unknown fields from `req.body` (i.e. // those that do not have an entry in `fields`) // EsLint disabled as `fields`, `i` & `name` are only controlled by dev /* eslint-disable security/detect-object-injection */ const prunedBody = Object.create(null); for (let i = 0, l = fields.length; i < l; i++) { if ( Object.hasOwn(req.body, fields[i].name) && req.body[fields[i].name] !== undefined ) { prunedBody[fields[i].name] = req.body[fields[i].name]; } } /* eslint-enable security/detect-object-injection */ const journeyContext = JourneyContext.fromContext( req.casa.journeyContext, req, ); journeyContext.setDataForPage(waypoint, prunedBody); // Second, prune any fields that do not pass the validation conditional, // and process those that do. const sanitisedBody = Object.create(null); for (let i = 0, l = fields.length; i < l; i++) { const field = fields[i]; /* eslint-disable-line security/detect-object-injection */ const fieldValue = field.getValue(prunedBody); if ( fieldValue !== undefined && field.testConditions({ fieldValue, waypoint, journeyContext, }) ) { field.putValue(sanitisedBody, field.applyProcessors(fieldValue)); } } // Finally, write the sanitised body back to the request object req.body = sanitisedBody; next(); }, ]; };