scorpion4dev-express-autosanitizer/lib/express-autosanitizer.js

automatic sanitization of req body fields, params and query. automatically does sanitization and escaping as middleware.

let sanitizer = require('sanitizer')

function sanitizeObj(options) {
  let clean = {}
  const { input: dirty, isEscapeHtml, replaceCustomValue } = options
  Object.keys(dirty).forEach(key => clean[key] = sanitizerFunction({
    input: dirty[key],
    isEscapeHtml,
    replaceCustomValue
  }))
  return clean
}

function sanitizeArray(options) {
  let clean = []
  const { input: dirty, isEscapeHtml, replaceCustomValue } = options
  dirty.forEach(data => clean.push(sanitizerFunction({
    input: data,
    isEscapeHtml,
    replaceCustomValue
  })))
  return clean
}

function sanitizerFunction(options) {
  const { input, isEscapeHtml, replaceCustomValue } = options

  if (input === null || (typeof input === 'undefined')) {
    return input
  } else {
    if (typeof input === 'object' && input.constructor !== Array) {
      return sanitizeObj(options)
    } else if (input.constructor === Array) {
      return sanitizeArray(options)
    } else {
      if (typeof input === 'string') {
        let clean = sanitizer.sanitize(input.trim())
        clean = sanitizer.unescapeEntities(clean)
        if (isEscapeHtml) clean = sanitizer.escape(clean)
        if (replaceCustomValue !== null && replaceCustomValue[clean] !== undefined) {
          clean = replaceCustomValue[clean]
        }
        return clean
      } else {
        return input
      }
    }
  }
}

const middleware = _options => {
  _options = _options || {}
  const { 
    body = true, 
    params = true, 
    query = true, 
    cookies = false, 
    headers = false, 
    escapeHtml = false,
    replaceOriginal = false,
    replaceCustomValue = null
  } = _options

  const options = {
    targets: {
      body,
      params,
      query,
      cookies,
      headers
    },
    replaceOriginal,
    replaceCustomValue,
    sanitizerFunction: _options.sanitizerFunction || (input => sanitizerFunction({
      input,
      isEscapeHtml: escapeHtml,
      replaceCustomValue
    }))
  }

  function sanitize (req, source) {
    if (!req[source] || Object.keys(req[source]).length === 0) return
    if (!options.replaceOriginal) req.sanitized[source] = {}
    for (let key in req[source]) {
      const clean = options.sanitizerFunction(req[source][key])
      if (options.replaceOriginal) req[source][key] = clean
      else req.sanitized[source][key] = clean
    }
  }

  return (req, _, next) => {
    if (!req) return next()
    if (!options.replaceOriginal) req.sanitized = {}

    for (const [source, value] of Object.entries(options.targets)) {
      if (value) sanitize(req, source)
    }
    return next()
  }
}

module.exports = middleware