An express middleware inspired from express-sanitizer but additionally sanitizes URL params. It also gives an option to provide a preprocessor function to decide whether a (key, value) pair should be sanitized or not.

npm install express-caja-sanitizer

Needs to be called after express.bodyParser() and before anything that requires the sanitized input, e.g.:

var express = require('express');
var bodyParser = require('body-parser');
var cajaSanitizer = require('express-caja-sanitizer');

var app = express();

app.use(bodyParser());
app.use(cajaSanitizer());

This module by default sanitizes the request URL params (req.params), apart from request body and query string params, e.g.:

https://www.myapp.com/rest/user/<script>console.log("hello")</script>bob/details

will be sanitized as

https://www.myapp.com/rest/user/bob/details

When shouldSanitize function is provided as an option, the module will sanitize only the (key, value) pairs for which the function returns true.

For example, if we don't want to sanitize XML values then the preprocesser function can be

var shouldSanitize = function(key, value) {
  return !value.startsWith('<?xml version="1.0"')
}

##Limitations This is a basic implementation of Caja-HTML-Sanitizer with the specific purpose of mitigating against persistent XSS risks.

##Caveats This module trusts the dependencies to provide basic persistent XSS risk mitigation. A user of this package should review all packages and make their own decision on security and fitness for purpose.