I have a server-side rendered NodeJS Express app. It uses res.render('pathToMyHtml', props)
and a view engine to serve the html with the provided props.
I want to make sure my HTML is sanitized using the isomorphic-dompurify library to protect against XSS attacks.
Because I use res.render
for a bunch of pages, how can I create middleware to make sure my HTML is sanitized every time I invoke res.render
?
What I tried
I'm currently calling DOMPurify.sanitize
a bunch of times in props
instead of the html itself. SOmething like:
const props = {
firstName: "Joe",
lastName: "Smith"
}
res.render('myHtmlPage', DOMPurify.sanitize(props));
But I'd like to sanitize the entire HTML payload, not just the props.
EDIT: I found this, but seems hacky since it involves changing the prototype method...I'm surprised Express doesn't have an API to do this!