XSS: replacing deprecated sanitize-js with sanitize-html

2023-12-08 18:50:58 +05:30 · 2023-12-08 18:50:58 +05:30 · 99bc9d64fb
parent 6e2d6cbac4
commit 99bc9d64fb
2 changed files with 6 additions and 4 deletions
--- a/packages/server/package.json
+++ b/packages/server/package.json
@ -61,9 +61,9 @@
        "mysql": "^2.18.1",
        "pg": "^8.11.1",
        "reflect-metadata": "^0.1.13",
+        "sanitize-html": "^2.11.0",
        "socket.io": "^4.6.1",
        "sqlite3": "^5.1.6",
-        "strip-js": "^1.2.0",
        "typeorm": "^0.3.6",
        "uuid": "^9.0.1",
        "winston": "^3.9.0"
--- a/packages/server/src/utils/XSS.ts
+++ b/packages/server/src/utils/XSS.ts
@ -1,10 +1,12 @@
 import { Request, Response, NextFunction } from 'express'
-let stripJs = require('strip-js')
+const sanitizeHtml = require('sanitize-html')

 export function sanitizeMiddleware(req: Request, res: Response, next: NextFunction): void {
-    req.url = stripJs(req.url)
+    // decoding is necessary as the url is encoded by the browser
+    const decodedURI = decodeURI(req.url)
+    req.url = sanitizeHtml(decodedURI)
    for (let p in req.query) {
-        req.query[p] = stripJs(req.query[p])
+        req.query[p] = sanitizeHtml(req.query[p])
    }

    next()