Skip to content

Request query, payload, and params sanitization for Hapi

License

Notifications You must be signed in to change notification settings

genediazjr/disinfect

Repository files navigation

disinfect

NodeCI CodeQL NPM Version NPM Downloads Code Climate Known Vulnerabilities

Hapi plugin to apply Google's Caja HTML Sanitizer on route query, payload, and params.

  • Capable for custom sanitization and per-route configuration.
  • Can also be used for input formatting using the custom sanitizer option.
  • Can be disabled per route.

Usage

const registerPlugins = async (server) => Promise.all([
    server.register({
        plugin: require('disinfect'),
        options: {
            disinfectQuery: true,
            disinfectParams: true,
            disinfectPayload: true
        }
    })
]);

registerPlugins(server)
    .then(() => {
        // ...
    })
    .catch((err) => {
        // ...
    })

Glue manifest

register: {
    plugins: [
        {
            plugin: require('disinfect'),
            options: {
                disinfectQuery: true,
                disinfectParams: true,
                disinfectPayload: true
            }
        }
    ]
}

Options

  • deleteEmpty - remove empty query or payload keys.
  • deleteWhitespace - remove whitespace query, payload, or params keys.
  • disinfectQuery - sanitize query strings.
  • disinfectParams - sanitize url params.
  • disinfectPayload - sanitize payload.
  • genericSanitizer - custom synchronous function to do the sanitization of query, payload, and params.
  • querySanitizer - custom synchronous function to do the sanitization of query strings.
  • paramsSanitizer - custom synchronous function to do the sanitization of url params.
  • payloadSanitizer - custom synchronous function to do the sanitization of payload.

deleteEmpty and deleteWhitespace defaults to false.

disinfectQuery, disinfectParams, and disinfectPayload defaults to false. If set to true, object will be passed to caja first before custom sanitizers.

dirtyObject ->`Caja` sanitizer -> `genericSanitizer` -> `query-`, `params-`, or `payload-` sanitizer -> deleteWhitespace -> deleteEmpty -> cleanObject.

genericSanitizer, querySanitizer, paramsSanitizer, and payloadSanitizer should be in the following format:

const customSanitizer = (dirtyObj) => {
    // ...
    return cleanObj;
}

All options can be passed on a per-route basis. Route options overrides server options.

// example
{
    path: '/',
    method: 'get',
    handler: (request, reply) => {
        ...
    },
    options: {
        plugins: {
            disinfect: {
                disinfectQuery: true,
                disinfectParams: false,
                disinfectPayload: true
            }
        }
    }
}

Disable on a route.

{
    path: '/',
    method: 'get',
    handler: (request, reply) => {
        ...
    },
    options: {
        plugins: {
            disinfect: false
        }
    }
}

Contributing

Credits

About

Request query, payload, and params sanitization for Hapi

Topics

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •