express-xss-sanitizer
Version:
Express 4.x and 5.x middleware which sanitizes user input data (in req.body, req.query, req.headers and req.params) to prevent Cross Site Scripting (XSS) attack.
116 lines (98 loc) • 4 kB
Markdown
# Express XSS Sanitizer
Express 4.x and 5.x middleware which sanitizes user input data (in req.body, req.query, req.headers and req.params) to prevent Cross Site Scripting (XSS) attack.
[](https://github.com/AhmedAdelFahim/express-xss-sanitizer)
[](https://github.com/AhmedAdelFahim/express-xss-sanitizer)
[](https://www.npmjs.com/package/express-xss-sanitizer)
[](https://www.npmjs.com/package/express-xss-sanitizer)
[](https://www.npmjs.com/package/express-xss-sanitizer)
[](https://www.npmjs.com/package/express-xss-sanitizer)
## Installation
```bash
$ npm install express-xss-sanitizer
```
## Usage
Add as a piece of express middleware, before defining your routes.
```javascript
const express = require('express');
const bodyParser = require('body-parser');
const { xss } = require('express-xss-sanitizer');
const app = express();
app.use(bodyParser.json({limit:'1kb'}));
app.use(bodyParser.urlencoded({extended: true, limit:'1kb'}));
app.use(xss());
```
You can add options to control max number of recursion at sanitization to prevent DOS attacks.
```javascript
const options = {
maxDepth: 50, // default 100
}
app.use(xss(options));
```
You can add options to specify allowed keys or allowed attributes to be skipped at sanitization
```javascript
const options = {
allowedKeys: ['name'],
allowedAttributes: {
input: ['value'],
},
}
app.use(xss(options));
```
You can add options to specify allowed tags to sanitize it and remove other tags
```javascript
const options = {
allowedTags: ['h1']
}
app.use(xss(options));
```
Add as a piece of express middleware, before single route.
```javascript
const express = require('express');
const bodyParser = require('body-parser');
const { xss } = require('express-xss-sanitizer');
const app = express();
app.use(bodyParser.json({limit:'1kb'}));
app.use(bodyParser.urlencoded({extended: true, limit:'1kb'}));
app.post("/body", xss(), function (req, res) {
// your code
});
app.post("/test", function (req, res) {
// your code
});
```
__Note:__ if you adding xxs() as application level middleware, the xxs() will sanitize req.body, req.headers and req.query only and for req.params you must add xxs() as route level middleware like below example.
```javascript
const express = require('express');
const bodyParser = require('body-parser');
const { xss } = require('express-xss-sanitizer');
const app = express();
app.use(bodyParser.json({limit:'1kb'}));
app.use(bodyParser.urlencoded({extended: true, limit:'1kb'}));
app.post("/params/:val", xss(), function (req, res) {
// your code
});
```
You also can sanitize your data (object, array, string,etc) on the fly.
```javascript
const { sanitize } = require('express-xss-sanitizer');
// ...
data = sanitize(data)
// or
data = sanitize(data, {allowedKeys: ['name']})
// ...
```
## For other frameworks
* [koa-xss-sanitizer](https://www.npmjs.com/package/koa-xss-sanitizer)
## Tests
To run the test suite, first install the dependencies, then run `npm test`:
```bash
$ npm install
$ npm test
```
## Security
### Reporting Vulnerabilities
Please report security issues to [ahmedadelfahim@gmail.com](mailto:ahmedadelfahim@gmail.com)
### Security Updates
- **v2.0.1**: Fixed unbounded recursion depth vulnerability (CVE-2025-59364)
## Support
Feel free to open issues on [github](https://github.com/AhmedAdelFahim/express-xss-sanitizer.git).