0

My NodeJS server receives user input (a string) that may or may not contain double- or single quotes. I would like to prevent users from breaking out of the string by putting " or ' into their input, but they must retain the ability to use said characters. How can I achieve this in NodeJS?

EXAMPLE:

// Replace "break" with some malicious code
let unfilteredInput = "I am a hacker and I will "break" out of this string! Muhahahaha!"

// I would like to "sanitize" the input so it turns into this
let filteredInput = "I am a hacker and I will \"break\" out of this string! Muhahahaha!"

// Here, the hacker was unable to run their code as the string was "sanitized".
// This must happen server-side and not client-side to prevent tampering.

Thanks!

Bananos
  • 29
  • 3
  • 2
    Do you execute this text somehow? – Konrad Mar 14 '23 at 21:09
  • @Konrad It is being saved into the database. And even if it the user isn't trying to do anything malicious, having " in the string would split it in two and make it incomplete. – Bananos Mar 14 '23 at 21:15
  • 1
    Does this answer your question? [How I can sanitize my input values in node js?](https://stackoverflow.com/questions/46718772/how-i-can-sanitize-my-input-values-in-node-js) – Lelio Faieta Mar 14 '23 at 21:16
  • 2
    @Bananos No it won't. It'll do that when you put a `"` in a string literal in your code, but the user is not writing your code. It won't break the string apart if it's already part of the string data. Please show us the part of the code that is receiving the string (reading it from the http request) and the part that is storing it in the database - this is where (de)serialisation happens, and that's where you need to be concerned. But otherwise, strings are data that can contain any character just fine. – Bergi Mar 14 '23 at 22:00
  • please provide us with more code, but if you are saving it to the database, you can use an ORM to help you store the data without security concerns. – Yitzhak Barzilay Mar 14 '23 at 22:39

1 Answers1

-1

an easy hack will be to do JSON.stringify( "I am a hacker and I will "break" out of this string! Muhahahaha!")

Or Yaacov
  • 3,597
  • 5
  • 25
  • 49