How I can sanitize my input values in node js?

Question

I validated my Node.js inputs so that they won't be empty, but I want to sanitize them too. Please help me how I can do this.

req.checkBody('name', 'Name is required!').notEmpty();
req.checkBody('surname', 'Surname is required!').notEmpty();
req.checkBody('username', 'Username is required!').notEmpty();
req.checkBody('password', 'Password is required!').notEmpty();
req.checkBody('password2', 'Passwords do not match!').equals(req.body.password);

var errors = req.validationErrors();

if (errors) {
    res.render('user/register', {
        errors: errors,
        user: null,
        title: 'Register'
    });
}
else {
    var userData = {
        name : req.body.name,
        surname : req.body.surname,
        username : req.body.username,
        password : req.body.password,
        avatar : 'No_person.jpg'
    };
    userController.addUser(req,res,userData);
}

Answer 1

• For most of the framework, you can use sanitize node module:

   npm install sanitize --save
  

  And then can use like:

   var sanitizer = require('sanitize')();
  
   var name = sanitizer.value(req.name, 'string');
   var surname= sanitizer.value(req.surname, 'string');
  

  For more can go through sanitize documentation

• If you are using express, then you can validate and sanitize using express-validator and express-sanitize-input packages as follows:

   const express = require('express');
   const { check } = require('express-validator');
   const app = express();
  
   app.use(express.json())
  
   app.post('/form', [
     check('name').isLength({ min: 3 }).trim().escape(),
     check('email').isEmail().normalizeEmail(),
     check('age').isNumeric().trim().escape()
   ], (req, res) => {
     const name  = req.body.name
     const email = req.body.email
     const age   = req.body.age
   })  
  

  For more can go through express-validator and express-sanitize-input documentation.

• If you are using Hapi, then you can validate and sanitize using Joi, With the Joi, you can sanitize variable with additional options

   validate(value, schema, {escapeHtml: true}, [callback])
  

  For more can go through Joi documentation.

• If you don't want to use any third party module and want to sanitize using the built-in node. you can try following:

   // For string variables
   str = typeof(str) === 'string' && str.trim().length > 0 ? str.trim() : '';
   // for boolean values
   bool = typeof(bool) === 'boolean' && bool === true ? true : false;
   // for array values
   arr = typeof(arr) === 'object' && arr instanceof Array ? arr : [];
   // for number values
   num = typeof(num) === 'number' && num % 1 === 0 ? num : 0;
   // for objects
   obj = typeof(obj) === 'object' && !(obj instanceof Array) && obj !== null ? obj : {};
  

Answer 2

Actually, I wrote a package to solve this problem easily. You can use it or contribute to it on Github.

Download this package from here: https://www.npmjs.com/package/string-sanitizer

You can use this utility package to sanitize even foreign languages other than English. Under the hood, regex is used in this library. You can convert your string to URL or filename friendly string. The use cases are given below

var string = require("string-sanitizer");

string.sanitize("a.bc@d efg#h"); // abcdefgh
string.sanitize.keepSpace("a.bc@d efg#h"); // abcd efgh
string.sanitize.keepUnicode("a.bc@d efg#hক"); // abcd efghক
string.sanitize.addFullstop("a.bc@d efg#h"); // abcd.efgh
string.sanitize.addUnderscore("a.bc@d efg#h"); // abcd_efgh
string.sanitize.addDash("a.bc@d efg#h"); // abcd-efgh
string.sanitize.removeNumber("@abcd efgh123"); // abcdefgh
string.sanitize.keepNumber("@abcd efgh123"); // abcdefgh123
string.addFullstop("abcd efgh"); // abcd.efgh
string.addUnderscore("@abcd efgh"); // @abcd_efgh
string.addDash("@abcd efgh"); // @abcd-efgh
string.removeSpace("@abcd efgh"); // @abcdefgh

Codeblock

Answer 3

validator has 5M downloads/week and seems like the most popular package in the industry as of today. express-validator uses validator as it's core. These are certainly one option, as are other packages like xss and sanitize-html

There is extensive documentation on both of the validator packages, here is the section on sanitization:

https://express-validator.github.io/docs/sanitization.html

Answer 4

I use Yup for validation. It's a lot smaller package than Joi. I've used Yup on both front and backend and I usually throw my validations into a shared npm package that both the front end and backend projects can have the same validation library

npm install -S yup

then

import * as yup from 'yup';

let schema = yup.object().shape({
  name: yup.string().required(),
  age: yup.number().required().positive().integer(),
  email: yup.string().email(),
  website: yup.string().url(),
  createdOn: yup.date().default(function () {
    return new Date();
  }),
});

// check validity
schema
  .isValid({
    name: 'jimmy',
    age: 24,
  })
  .then(function (valid) {
    valid; // => true
  });

From Yup's website:

Yup is a JavaScript schema builder for value parsing and validation. Define a schema, transform a value to match, validate the shape of an existing value, or both. Yup schema are extremely expressive and allow modeling complex, interdependent validations, or value transformations.

Yup's API is heavily inspired by Joi, but leaner and built with client-side validation as its primary use-case. Yup separates the parsing and validating functions into separate steps. cast() transforms data while validate checks that the input is the correct shape. Each can be performed together (such as HTML form validation) or separately (such as deserializing trusted data from APIs).

You will want to create your own validators for special items like password matching etc. This can be done using regex then add the function to Yup like so:

let schema = string().matches(/(hi|bye)/);

Put all your validation functions into your shared NPM package (including your typescript types etc). The cases where your frontend team is out of sync with validations on the backend will now be less of a concern.

Answer 5

You can create custom middleware that you can integrate into any endpoint (or globally for every request), and it will check if any of the inputs in the request body is problematic.

It will check if:

• The input contains some embedded HTML code (scripts of images for example).
• First non-white character is =, which make Excel imports vulnerable.

---

Middleware

const containsHtml = /<[^>]*>/;
const startsWithEqual = /^\s*=/;

const isInvalidInput = (input) => {
  return containsHtml.test(input) || startsWithEqual.test(input);
}

exports.inputValidator = (req,res,next) => {
  let invalid_input_count = 0;
  const obj = req.body;
  const stack = [obj];
  while (stack?.length > 0) {
    const currentObj = stack.pop();
    Object.keys(currentObj).forEach(key => {
      if (typeof currentObj[key] === 'object' && currentObj[key] !== null) {
        stack.push(currentObj[key]);
      } else {
        if (typeof currentObj[key] === 'string' && isInvalidInput(currentObj[key])) {
          invalid_input_count++;
        }
      }
    });
  }

  if(invalid_input_count === 0) {
    return next();
  } else{
    return res.status(400).json({ success: false, error_code: 'invalid_input'});
  }
}

Usage

const express = require('express');
const { inputValidator } = require('./util/input-validator');

...

const app = express();
app.use(inputValidator); // Check every request for vulnerable inputs