0

I have the following express POST route handler that accepts GET and POST data something like this:

app.post('/handler/:id/:type', function (req, res, next) {
   var id = req.param('id');
   var type = req.param('type');

   var body = req.body;

   // Ho to check req.body params?
   var document = _.extend(req.body, {id: id, type: type});

   Collection.create(document, function (err, data) {
         .....
   })       
});

Is it problem to don't check incoming parameters and write to MongoDB database as in example above? Or how can check this ones?

Erik
  • 14,060
  • 49
  • 132
  • 218
  • If you don't care about the nature of the data being stored in your MongoDB database, then it's fine. Also, if someone could POST a HUGE document (>16MB), it would fail as it's too large for MongoDB. To validate -- check that the document is formed to your requirements. Is there more to your question? – WiredPrairie Oct 04 '13 at 18:42
  • Thanks for the answer. I have the question about possibility of xss using in MongoDB. I thing it's possible to save xss and the use in html code when user get comments list for example. What do you thing? – Erik Oct 04 '13 at 19:11
  • Sorry, I don't follow your question. If you don't trust the client **fully**, then you must validate/scrub the data on the server before saving. – WiredPrairie Oct 04 '13 at 19:18
  • Thanks for the answer. May you provide code snippet of your nodejs/express code where you get params from client and store them in MongoDB? – Erik Oct 04 '13 at 19:26
  • Maybe you should look at mongoosejs? You can define schmeas, do validatin, etc. – WiredPrairie Oct 04 '13 at 19:33

0 Answers0