From 0392b8c94d16f7670c885de4527f6571b7698f95 Mon Sep 17 00:00:00 2001 From: Frank Lemanschik Date: Wed, 14 Apr 2021 15:39:37 +0200 Subject: [PATCH 1/5] Create html_escape.js --- lib/html_escape.js | 46 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 lib/html_escape.js diff --git a/lib/html_escape.js b/lib/html_escape.js new file mode 100644 index 0000000..9ee0334 --- /dev/null +++ b/lib/html_escape.js @@ -0,0 +1,46 @@ +/** + * Copyright (C) 2017-present by Andrea Giammarchi - @WebReflection + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + */ + +const {replace} = ''; + +// escape +const es = /&(?:amp|#38|lt|#60|gt|#62|apos|#39|quot|#34);/g; +const ca = /[&<>'"]/g; + +const esca = { + '&': '&', + '<': '<', + '>': '>', + "'": ''', + '"': '"' +}; +const pe = m => esca[m]; + +/** + * Safely escape HTML entities such as `&`, `<`, `>`, `"`, and `'`. + * @param {string} es the input to safely escape + * @returns {string} the escaped input, and it **throws** an error if + * the input type is unexpected, except for boolean and numbers, + * converted as string. + */ +const escape = es => replace.call(es, ca, pe); +module.exports = escape; From c98a4546685da4210ad6c01cbb0e57c961a1baad Mon Sep 17 00:00:00 2001 From: Frank Lemanschik Date: Wed, 14 Apr 2021 15:48:35 +0200 Subject: [PATCH 2/5] Update Sanitizer.js fix issue #1 --- lib/Sanitizer.js | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/lib/Sanitizer.js b/lib/Sanitizer.js index b1f75cd..3bce4cf 100644 --- a/lib/Sanitizer.js +++ b/lib/Sanitizer.js @@ -6,7 +6,7 @@ var vtor = require('validator'); var _ = require('lodash'); - +var htmlEscape = require('./html_escape.js') class Sanitizer { bool(value) { @@ -88,6 +88,10 @@ class Sanitizer { } str(value) { + return !_.isNull(value) && !_.isUndefined(value) ? htmlEscape(value.toString()) : null; + } + + strRaw(value) { return !_.isNull(value) && !_.isUndefined(value) ? value.toString() : null; } @@ -158,4 +162,4 @@ function fixUrl(url, protocol) { } return null; -} \ No newline at end of file +} From a9f41f4028629385097123ef20b937ca2b91729d Mon Sep 17 00:00:00 2001 From: Frank Lemanschik Date: Wed, 14 Apr 2021 16:26:09 +0200 Subject: [PATCH 3/5] Updated package.json add docs. fix tests --- README.md | 12 ++++++++---- lib/Sanitizer.js | 7 +++++-- lib/middleware.js | 4 ++++ package.json | 8 ++++---- 4 files changed, 21 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 31070a1..4246849 100644 --- a/README.md +++ b/README.md @@ -39,28 +39,32 @@ This will remove all keys from a plain object that are not `String`, `Integer`, ## Express Middleware ### req.headerInt(headerName: String): Integer -### req.headerString(headerName: String): String +### req.headerString(headerName: String): String htmlEscaped +### req.headerStringRaw(headerName: String): String unEscaped ### req.headerFloat(headerName: String): Float ### req.headerEmail(headerName: String): String ### req.headerPattern(headerName: String, pattern: RegExp): String ### req.headerOneOf(headerName: String, arr: Array): String ### req.bodyInt(bodyParam: String): Integer -### req.bodyString(bodyParam: String): String +### req.bodyString(bodyParam: String): String htmlEscaped +### req.bodyStringRaw(bodyParam: String): String unEscaped ### req.bodyFloat(bodyParam: String): Float ### req.bodyEmail(bodyParam: String): String ### req.bodyPattern(bodyParam: String, pattern: RegExp): String ### req.bodyOneOf(bodyName: String, arr: Array): String ### req.queryInt(queryParam: String): Integer -### req.queryString(queryParam: String): String +### req.queryString(queryParam: String): String htmlEscaped +### req.queryStringRaw(queryParam: String): String unEscaped ### req.queryFloat(queryParam: String): Float ### req.queryEmail(queryParam: String): String ### req.queryPattern(queryParam: String, pattern: RegExp): String ### req.queryOneOf(queryName: String, arr: Array): String ### req.paramInt(paramName: String): Integer -### req.paramString(paramName: String): String +### req.paramString(paramName: String): String htmlEscaped +### req.paramStringRaw(paramName: String): String unEscaped ### req.paramFloat(paramName: String): Float ### req.paramEmail(paramName: String): String ### req.paramPattern(paramName: String, pattern: RegExp): String diff --git a/lib/Sanitizer.js b/lib/Sanitizer.js index 3bce4cf..1c85282 100644 --- a/lib/Sanitizer.js +++ b/lib/Sanitizer.js @@ -10,7 +10,7 @@ var htmlEscape = require('./html_escape.js') class Sanitizer { bool(value) { - return _.isBoolean(value) ? value : vtor.toBoolean(value); + return (value) ? true : false; } float(value) { @@ -57,12 +57,15 @@ class Sanitizer { } email(value) { - return vtor.isEmail(value) ? value : null; + return (value && vtor.isEmail(value)) ? value : null; } url(value) { var protocol; var options; + if (!value) { + return null + } if (_.isArray(value)) { protocol = value[1]; options = {protocols: [protocol]}; diff --git a/lib/middleware.js b/lib/middleware.js index 02a28de..2ebc629 100644 --- a/lib/middleware.js +++ b/lib/middleware.js @@ -21,6 +21,7 @@ exports.mixinFilters = function mixinFilters(req) { req.headerFloat = createSanitizeFloat.call(req, 'headers'); req.headerEmail = createSanitizeFunc.call(req, 'headers', 'email'); req.headerString = createSanitizeFunc.call(req, 'headers', 'str'); + req.headerStringRaw = createSanitizeFunc.call(req, 'headers', 'strRaw'); req.headerPattern = createSanitizePattern.call(req, 'headers'); req.headerOneOf = createSanitizeOneOf.call(req, 'headers'); @@ -29,6 +30,7 @@ exports.mixinFilters = function mixinFilters(req) { req.bodyFloat = createSanitizeFloat.call(req, 'body'); req.bodyEmail = createSanitizeFunc.call(req, 'body', 'email'); req.bodyString = createSanitizeFunc.call(req, 'body', 'str'); + req.bodyStringRaw = createSanitizeFunc.call(req, 'body', 'strRaw'); req.bodyPattern = createSanitizePattern.call(req, 'body'); req.bodyArray = createSanitizeArray.call(req, 'body'); req.bodyJson = function() { @@ -44,6 +46,7 @@ exports.mixinFilters = function mixinFilters(req) { req.queryFloat = createSanitizeFloat.call(req, 'query'); req.queryEmail = createSanitizeFunc.call(req, 'query', 'email'); req.queryString = createSanitizeFunc.call(req, 'query', 'str'); + req.queryStringRaw = createSanitizeFunc.call(req, 'query', 'strRaw'); req.queryPattern = createSanitizePattern.call(req, 'query'); req.queryArray = createSanitizeArray.call(req, 'query'); req.queryOneOf = createSanitizeOneOf.call(req, 'query'); @@ -53,6 +56,7 @@ exports.mixinFilters = function mixinFilters(req) { req.paramFloat = createSanitizeFloat.call(req, 'params'); req.paramEmail = createSanitizeFunc.call(req, 'params', 'email'); req.paramString = createSanitizeFunc.call(req, 'params', 'str'); + req.paramStringRaw = createSanitizeFunc.call(req, 'params', 'strRaw'); req.paramPattern = createSanitizePattern.call(req, 'params'); req.paramOneOf = createSanitizeOneOf.call(req, 'params'); }; diff --git a/package.json b/package.json index fb85ada..fca9924 100644 --- a/package.json +++ b/package.json @@ -25,11 +25,11 @@ "registry": "https://registry.npmjs.org" }, "devDependencies": { - "mocha": "^2.1.0", - "should": "^4.6.0" + "mocha": "^8.3.2", + "should": "^13.2.3" }, "dependencies": { - "lodash": "^4.17.0", - "validator": "^3.33.0" + "lodash": "^4.17.21", + "validator": "^13.5.2" } } From 9b8958ec06b5f7cd511f69000a2cf19d05431cc2 Mon Sep 17 00:00:00 2001 From: Frank Lemanschik Date: Wed, 14 Apr 2021 16:45:40 +0200 Subject: [PATCH 4/5] Update package.json --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index fca9924..d4900d8 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "sanitize", - "version": "2.1.0", + "version": "2.1.1", "description": "Input sanitizing library for node.js", "main": "lib/sanitize.js", "scripts": { From 432f68f127b7df546a9ae9744a50ae646dc97571 Mon Sep 17 00:00:00 2001 From: Frank Lemanschik Date: Wed, 28 Apr 2021 06:03:16 +0200 Subject: [PATCH 5/5] Update README.md --- README.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 4246849..7175230 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,7 @@ -# node-sanitize +#(deprecated)!!! Use the sanitizer api +https://github.com/mikewest/sanitizer-playground + +# node-sanitize Input sanitizing library for node.js # Summary