How I can sanitize my input values in node js?

I validated my Node.js inputs so that they won't be empty, but I want to sanitize them too. Please help me how I can do this.

req.checkBody('name', 'Name is required!').notEmpty();
req.checkBody('surname', 'Surname is required!').notEmpty();
req.checkBody('username', 'Username is required!').notEmpty();
req.checkBody('password', 'Password is required!').notEmpty();
req.checkBody('password2', 'Passwords do not match!').equals(req.body.password);

var errors = req.validationErrors();

if (errors) {
res.render('user/register', {
errors: errors,
user: null,
title: 'Register'
});
}
else {
var userData = {
name : req.body.name,
surname : req.body.surname,
username : req.body.username,
password : req.body.password,
avatar : 'No_person.jpg'
};
userController.addUser(req,res,userData);
}

Actually, I wrote a package to solve this problem easily. You can use it or contribute to it on Github.

Download this package from here:

[To see links please register here]

You can use this utility package to sanitize even foreign languages other than English. Under the hood, regex is used in this library. You can convert your string to URL or filename friendly string. The use cases are given below


var string = require("string-sanitizer");

string.sanitize("a.bc@d efg#h"); // abcdefgh
string.sanitize.keepSpace("a.bc@d efg#h"); // abcd efgh
string.sanitize.keepUnicode("a.bc@d efg#hক"); // abcd efghক
string.sanitize.addFullstop("a.bc@d efg#h"); // abcd.efgh
string.sanitize.addUnderscore("a.bc@d efg#h"); // abcd_efgh
string.sanitize.addDash("a.bc@d efg#h"); // abcd-efgh
string.sanitize.removeNumber("@abcd efgh123"); // abcdefgh
string.sanitize.keepNumber("@abcd efgh123"); // abcdefgh123
string.addFullstop("abcd efgh"); // abcd.efgh
string.addUnderscore("@abcd efgh"); // @abcd_efgh
string.addDash("@abcd efgh"); // @abcd-efgh
string.removeSpace("@abcd efgh"); // @abcdefgh

[Codeblock][1]

[![enter image description here][2]][2]


[1]:

[2]:

- For most of the framework, you can use [`sanitize`](

[To see links please register here]

) node module:

npm install sanitize --save

And then can use like:

var sanitizer = require('sanitize')();

var name = sanitizer.value(req.name, 'string');
var surname= sanitizer.value(req.surname, 'string');

For more can go through [sanitize](

[To see links please register here]

) documentation

- If you are using `express`, then you can validate and sanitize using [express-validator](

[To see links please register here]

) and [express-sanitize-input](

[To see links please register here]

) packages as follows:

const express = require('express');
const { check } = require('express-validator');
const app = express();

app.use(express.json())

app.post('/form', [
check('name').isLength({ min: 3 }).trim().escape(),
check('email').isEmail().normalizeEmail(),
check('age').isNumeric().trim().escape()
], (req, res) => {
const name = req.body.name
const email = req.body.email
const age = req.body.age
})
For more can go through [express-validator](

[To see links please register here]

) and [express-sanitize-input](

[To see links please register here]

) documentation.

- If you are using `Hapi`, then you can validate and sanitize using [Joi](

[To see links please register here]

), With the Joi, you can sanitize variable with additional options

validate(value, schema, {escapeHtml: true}, [callback])

For more can go through [Joi](

[To see links please register here]

) documentation.

- If you don't want to use any third party module and want to sanitize using the built-in node. you can try following:

// For string variables
str = typeof(str) === 'string' && str.trim().length > 0 ? str.trim() : '';
// for boolean values
bool = typeof(bool) === 'boolean' && bool === true ? true : false;
// for array values
arr = typeof(arr) === 'object' && arr instanceof Array ? arr : [];
// for number values
num = typeof(num) === 'number' && num % 1 === 0 ? num : 0;
// for objects
obj = typeof(obj) === 'object' && !(obj instanceof Array) && obj !== null ? obj : {};

[`validator`][1] has 5M downloads/week and seems like the most popular package in the industry as of today. `express-validator` uses `validator` as it's core. These are certainly one option, as are other packages like `xss` and `sanitize-html`

There is extensive documentation on both of the validator packages, here is the section on sanitization:

[To see links please register here]

[1]:

[To see links please register here]

I use Yup for validation. It's a lot smaller package than Joi. I've used Yup on both front and backend and I usually throw my validations into a shared npm package that both the front end and backend projects can have the same validation library

npm install -S yup


then

import * as yup from 'yup';

let schema = yup.object().shape({
name: yup.string().required(),
age: yup.number().required().positive().integer(),
email: yup.string().email(),
website: yup.string().url(),
createdOn: yup.date().default(function () {
return new Date();
}),
});

// check validity
schema
.isValid({
name: 'jimmy',
age: 24,
})
.then(function (valid) {
valid; // => true
});


From Yup's website:

> Yup is a JavaScript schema builder for value parsing and validation.
> Define a schema, transform a value to match, validate the shape of an
> existing value, or both. Yup schema are extremely expressive and allow
> modeling complex, interdependent validations, or value
> transformations.
>
> Yup's API is heavily inspired by Joi, but leaner and built with
> client-side validation as its primary use-case. Yup separates the
> parsing and validating functions into separate steps. cast()
> transforms data while validate checks that the input is the correct
> shape. Each can be performed together (such as HTML form validation)
> or separately (such as deserializing trusted data from APIs).

You will want to create your own validators for special items like password matching etc. This can be done using regex then add the function to Yup like so:

let schema = string().matches(/(hi|bye)/);

Put all your validation functions into your shared NPM package (including your typescript types etc). The cases where your frontend team is out of sync with validations on the backend will now be less of a concern.

You can create custom middleware that you can integrate into any endpoint (or globally for every request), and it will check if any of the inputs in the request `body` is problematic.

It will check if:
- The input contains some embedded HTML code (scripts of images for example).
- First non-white character is `=`, which make Excel imports vulnerable.

---
**Middleware**
```
const containsHtml = /<[^>]*>/;
const startsWithEqual = /^\s*=/;

const isInvalidInput = (input) => {
return containsHtml.test(input) || startsWithEqual.test(input);
}

exports.inputValidator = (req,res,next) => {
let invalid_input_count = 0;
const obj = req.body;
const stack = [obj];
while (stack?.length > 0) {
const currentObj = stack.pop();
Object.keys(currentObj).forEach(key => {
if (typeof currentObj[key] === 'object' && currentObj[key] !== null) {
stack.push(currentObj[key]);
} else {
if (typeof currentObj[key] === 'string' && isInvalidInput(currentObj[key])) {
invalid_input_count++;
}
}
});
}

if(invalid_input_count === 0) {
return next();
} else{
return res.status(400).json({ success: false, error_code: 'invalid_input'});
}
}
```
**Usage**
```
const express = require('express');
const { inputValidator } = require('./util/input-validator');

...

const app = express();
app.use(inputValidator); // Check every request for vulnerable inputs
```