How I can sanitize my input values in node js?
Solution 1
-
For most of the framework, you can use
sanitize
node module:npm install sanitize --save
And then can use like:
var sanitizer = require('sanitize')(); var name = sanitizer.value(req.name, 'string'); var surname= sanitizer.value(req.surname, 'string');
For more can go through sanitize documentation
-
If you are using
express
, then you can validate and sanitize using express-validator and express-sanitize-input packages as follows:const express = require('express'); const { check } = require('express-validator'); const app = express(); app.use(express.json()) app.post('/form', [ check('name').isLength({ min: 3 }).trim().escape(), check('email').isEmail().normalizeEmail(), check('age').isNumeric().trim().escape() ], (req, res) => { const name = req.body.name const email = req.body.email const age = req.body.age })
For more can go through express-validator and express-sanitize-input documentation.
-
If you are using
Hapi
, then you can validate and sanitize using Joi, With the Joi, you can sanitize variable with additional optionsvalidate(value, schema, {escapeHtml: true}, [callback])
For more can go through Joi documentation.
-
If you don't want to use any third party module and want to sanitize using the built-in node. you can try following:
// For string variables str = typeof(str) === 'string' && str.trim().length > 0 ? str.trim() : ''; // for boolean values bool = typeof(bool) === 'boolean' && bool === true ? true : false; // for array values arr = typeof(arr) === 'object' && arr instanceof Array ? arr : []; // for number values num = typeof(num) === 'number' && num % 1 === 0 ? num : 0; // for objects obj = typeof(obj) === 'object' && !(obj instanceof Array) && obj !== null ? obj : {};
Solution 2
Actually, I wrote a package to solve this problem easily. You can use it or contribute to it on Github.
Download this package from here: https://www.npmjs.com/package/string-sanitizer
You can use this utility package to sanitize even foreign languages other than English. Under the hood, regex is used in this library. You can convert your string to URL or filename friendly string. The use cases are given below
var string = require("string-sanitizer");
string.sanitize("a.bc@d efg#h"); // abcdefgh
string.sanitize.keepSpace("a.bc@d efg#h"); // abcd efgh
string.sanitize.keepUnicode("a.bc@d efg#hক"); // abcd efghক
string.sanitize.addFullstop("a.bc@d efg#h"); // abcd.efgh
string.sanitize.addUnderscore("a.bc@d efg#h"); // abcd_efgh
string.sanitize.addDash("a.bc@d efg#h"); // abcd-efgh
string.sanitize.removeNumber("@abcd efgh123"); // abcdefgh
string.sanitize.keepNumber("@abcd efgh123"); // abcdefgh123
string.addFullstop("abcd efgh"); // abcd.efgh
string.addUnderscore("@abcd efgh"); // @abcd_efgh
string.addDash("@abcd efgh"); // @abcd-efgh
string.removeSpace("@abcd efgh"); // @abcdefgh
V.Aleksanyan
Updated on October 29, 2021Comments
-
V.Aleksanyan over 2 years
I validated my Node.js inputs so that they won't be empty, but I want to sanitize them too. Please help me how I can do this.
req.checkBody('name', 'Name is required!').notEmpty(); req.checkBody('surname', 'Surname is required!').notEmpty(); req.checkBody('username', 'Username is required!').notEmpty(); req.checkBody('password', 'Password is required!').notEmpty(); req.checkBody('password2', 'Passwords do not match!').equals(req.body.password); var errors = req.validationErrors(); if (errors) { res.render('user/register', { errors: errors, user: null, title: 'Register' }); } else { var userData = { name : req.body.name, surname : req.body.surname, username : req.body.username, password : req.body.password, avatar : 'No_person.jpg' }; userController.addUser(req,res,userData); }
-
kgangadhar over 6 years@V.Aleksanyan, Here
string
refers to the value you want to match or the regex expression u want to allow. you can try out this insanitizer runkit
-
V.Aleksanyan over 6 yearsWHen I submit form I check validation and write your code var name = sanitizer.value(req.body.name, 'string'); var name = sanitizer.value(req.body.surname, 'string'); var name = sanitizer.value(req.body.username, 'string'); It returns me this error " string is not a valid sanitizer type ". Please say me Why is it?
-
kgangadhar over 6 yearsThat's just an example to show how it works, It should be like this
var myMatchingString = sanitizer.value(req.mystring, /abc123/);
or a regular expression instead ofabc123
, go through documentaion, it will explain how to use as a middleware with application -
PotatoFarmer about 4 yearsThis library is more akin to a string manipulation library rather than a viable sanitizer. Sanitation should seek to contain the input and preferably be context aware, rather just manipulating a string to some assumed desired result:
string.sanitize("[email protected]")
would ideally not return"12com"
. Some improvements could include focusing on context specific sanitation (sanitize.HTMLsafe()
,sanitize.SQLsafe()
,sanitize.EmailAddress()
, etc) as well as dropping string helper functions (leave the kitchen sink at home). -
Md Fazlul Karim about 4 yearsThank you for your suggestion. Basically, I wrote it to solve a practical problem. Since then many people find it handy and useful. "Sanitizer" means cleaning or disinfecting in our practical life. The word "sanitizer" is used in that practical sense. Nothing more. Besides, the name string-manipulator and string-manipulation both were already taken while publishing this library. I will try to add these updates in the future. Thank you, again.
-
sloreti about 3 years
check()
isn't built-in with Express. It's part of express-validator -
Jerubaal Xerxes almost 2 yearsSo far i see this as the best approach to start solving the sanitize problem. i dont want to know what the input is. just like the way js can detect an interger and a string thats how i think it should work and this is somewhat close. The issue is to avoid sql injection by triming unwanted symbols added before or after the input value.