UNPKG

perfect-express-sanitizer

Version:

a complete package to control user input data to prevent Cross Site Scripting (XSS) ,Sql injection and no Sql injection attack

github.com/pariazar/perfect-express-sanitizer

pariazar/perfect-express-sanitizer

84 lines (77 loc) 2.25 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
"use strict"; const sanitizeHtml = require("sanitize-html"); const initializeOptions = (options) => { const sanitizerOptions = {}; if (Array.isArray(options.allowedTags) && options.allowedTags.length > 0) { sanitizerOptions.allowedTags = options.allowedTags; } return { allowedKeys: (Array.isArray(options.allowedKeys) && options.allowedKeys) || [], sanitizerOptions, }; }; function containsAllowedKey(item, allowedKeys) { for (const key of allowedKeys) { const regex = new RegExp(key.replace(/\./g, '\\.').replace(/\*/g, '.*').replace(/%/g, '.*')); if (regex.test(item)) { return true; } } return false; } const detectXss = (value) => { try { const input = value.length; const inputAfterSanitizing = sanitizeHtml(value).length; if (input !== inputAfterSanitizing) { return true; } } catch (error) { } return false; } const sanitize = (options, data) => { if (typeof data === "string") { if(options?.allowedKeys?.includes(data)){ return data; } return sanitizeHtml(data, options.sanitizerOptions); } if (Array.isArray(data)) { return data.map((item) => { if (typeof item === "string") { return sanitizeHtml(item, options.sanitizerOptions); } if (Array.isArray(item) || typeof item === "object") { return sanitize(options, item); } return item; }); } if (typeof data === "object" && data !== null) { Object.keys(data).forEach((key) => { if (options.allowedKeys.includes(key)) { return; } if(options?.allowedKeys && containsAllowedKey(data[key], options.allowedKeys)){ return data[key]; } const item = data[key]; if (typeof item === "string") { data[key] = sanitizeHtml(item, options.sanitizerOptions); } else if (Array.isArray(item) || typeof item === "object") { data[key] = sanitize(options, item); } }); } return data; }; const prepareSanitize = (data, options = {}) => { options = initializeOptions(options); return sanitize(options, data); }; module.exports = { prepareSanitize, detectXss };