0

I have a server-side rendered NodeJS Express app. It uses res.render('pathToMyHtml', props) and a view engine to serve the html with the provided props.

I want to make sure my HTML is sanitized using the isomorphic-dompurify library to protect against XSS attacks.

Because I use res.render for a bunch of pages, how can I create middleware to make sure my HTML is sanitized every time I invoke res.render?

What I tried

I'm currently calling DOMPurify.sanitize a bunch of times in props instead of the html itself. SOmething like:

const props = {
  firstName: "Joe",
  lastName: "Smith"
}
res.render('myHtmlPage', DOMPurify.sanitize(props));

But I'd like to sanitize the entire HTML payload, not just the props.

EDIT: I found this, but seems hacky since it involves changing the prototype method...I'm surprised Express doesn't have an API to do this!

tbd_
  • 1,058
  • 1
  • 16
  • 39

0 Answers0