UNPKG

@opengis/fastify-table

Version:

core-plugins

46 lines (45 loc) 1.83 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
import config from "../../../../config.js"; import xssInjection from "../xssInjection.js"; function checkXSS({ body, schema = {} }) { const data = typeof body === "string" ? body : JSON.stringify(body); const stopWords = xssInjection.filter((el) => data?.toLowerCase?.()?.includes?.(el)); // check sql injection const stopSpecialSymbols = data.match(/\p{S}OR\p{S}|\p{P}OR\p{P}| OR |\+OR\+/giu); if (stopSpecialSymbols?.length) { stopSpecialSymbols?.forEach((el) => stopWords.push(el)); } // escape arrows on non-rich text editor inputs const skipScreening = config.skipScreening || [ "Summernote", "Tiny", "Ace", "Texteditor", ]; Object.keys(body) .filter((key) => ["<", ">"].find((el) => body[key]?.includes?.(el)) && !skipScreening.includes(schema?.[key]?.type) && schema?.[key]?.xssCheck !== false) ?.forEach((key) => { Object.assign(body, { [key]: body[key].replace(/</g, "&lt;").replace(/>/g, "&gt;"), }); }); if (!stopWords.length) return { body }; const disabledCheckFields = Object.keys(schema || {})?.filter((el) => schema?.[el]?.xssCheck === false); // exclude specific columns const field = Object.keys(body)?.find((key) => body[key]?.toLowerCase && !disabledCheckFields.includes(key) && (skipScreening.includes(schema?.[key]?.type) ? stopWords.find((el) => !["href=", "src="].includes(el)) : true) && body[key].toLowerCase().includes(stopWords[0])); if (field) { console.error(stopWords[0], field, body[field]); return { error: `rule: ${stopWords[0]} | attr: ${field} | val: ${body[field]}`, body, }; } return { body }; } export default checkXSS;