/

Sanitizing input in Express using express-validator

Sanitizing input in Express using express-validator

In the world of running a public-facing server, it’s crucial to never trust the input you receive. Even though you may have implemented client-side code to sanitize and block any weird input, there are still ways for people to manipulate and exploit your server. That’s why it’s important to sanitize your input.

Luckily, the express-validator package that you already use for input validation can also be used for sanitization. Let’s say you have a POST endpoint that accepts parameters like name, email, and age:

1
2
3
4
5
6
7
8
9
10
const express = require('express')
const app = express()

app.use(express.json())

app.post('/form', (req, res) => {
const name = req.body.name
const email = req.body.email
const age = req.body.age
})

You can enhance the validation by using express-validator as follows:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
const express = require('express')
const app = express()

app.use(express.json())

app.post('/form', [
check('name').isLength({ min: 3 }),
check('email').isEmail(),
check('age').isNumeric()
], (req, res) => {
const name = req.body.name
const email = req.body.email
const age = req.body.age
})

To add sanitization, you can use the sanitization methods provided by express-validator:

1
2
3
4
5
6
7
app.post('/form', [
check('name').isLength({ min: 3 }).trim().escape(),
check('email').isEmail().normalizeEmail(),
check('age').isNumeric().trim().escape()
], (req, res) => {
//...
})

In the above example, we used the following sanitization methods:

  • trim(): Trims characters (by default, whitespace) at the beginning and end of a string.
  • escape(): Replaces special characters like <, >, &, ', ", and / with their corresponding HTML entities.
  • normalizeEmail(): Canonicalizes an email address, with options to lowercase email addresses or subaddresses.

There are also other sanitization methods available, such as:

  • blacklist(): Removes characters that appear in the blacklist.
  • whitelist(): Removes characters that do not appear in the whitelist.
  • unescape(): Replaces HTML encoded entities with their original characters.
  • ltrim(): Trims characters at the start of the string.
  • rtrim(): Trims characters at the end of the string.
  • stripLow(): Removes ASCII control characters, which are normally invisible.

You can also force the conversion of input to a specific format using the following methods:

  • toBoolean(): Converts the input string to a boolean. In strict mode, only ‘1’ and ‘true’ return true.
  • toDate(): Converts the input string to a date, or null if the input is not a date.
  • toFloat(): Converts the input string to a float, or NaN if the input is not a float.
  • toInt(): Converts the input string to an integer, or NaN if the input is not an integer.

Similar to custom validators, you can also create custom sanitizers. In the callback function, you simply return the sanitized value:

1
2
3
4
5
6
7
8
9
10
11
const sanitizeValue = value => {
// sanitize...
}

app.post('/form', [
check('value').customSanitizer(value => {
return sanitizeValue(value)
}),
], (req, res) => {
const value = req.body.value
})

By properly sanitizing your input, you can ensure that your Express app is protected against malicious exploits and unexpected input. Use the power of express-validator to validate and sanitize your data effectively.

tags: [“Express”, “express-validator”, “input sanitization”, “server security”]