- vừa được xem lúc

Blog#211: 🔐Validating and Sanitizing User Input in Node.js Express

0 0 16

Người đăng: NGUYỄN ANH TUẤN

Theo Viblo Asia

208

Hi, I'm Tuan, a Full-stack Web Developer from Tokyo 😊. Follow my blog to not miss out on useful and interesting articles in the future.

Introduction

User input validation and sanitization are crucial aspects of web development. They help prevent security vulnerabilities, such as SQL injection and cross-site scripting (XSS) attacks, while also ensuring that the data entered by users is accurate and consistent. In this article, we'll explore various techniques for validating and sanitizing user input in Node.js Express applications, using the popular libraries express-validator and sanitize-html.

Why Validate and Sanitize User Input?

Validation

Validation is the process of checking whether user input meets specific criteria, such as data type, length, or format. Validation is essential for several reasons:

  • Data Consistency: Validation ensures that user input aligns with the expected format, making it easier to process and store the data.
  • User Experience: Providing meaningful feedback to users about incorrect input helps them correct their mistakes, resulting in a smoother user experience.
  • Security: Validation can help prevent security vulnerabilities by rejecting malicious input before it reaches sensitive parts of the application.

Sanitization

Sanitization is the process of cleaning user input by removing or altering potentially harmful data. This is crucial for preventing security vulnerabilities such as XSS attacks, where an attacker injects malicious code into a web application.

Getting Started with Express and Middleware

Before diving into validation and sanitization, let's set up a basic Express application and understand the role of middleware.

Express Setup

First, create a new directory for your project and initialize it with npm:

mkdir node-validation
cd node-validation
npm init -y

Next, install Express:

npm install express

Create a new file named app.js and set up a basic Express application:

const express = require('express');
const app = express(); app.get('/', (req, res) => { res.send('Hello, World!');
}); app.listen(3000, () => { console.log('Server listening on port 3000');
});

Middleware

In Express, middleware are functions that have access to the request object, response object, and the next function in the request-response cycle. They can execute code, modify the request and response objects, or end the request-response cycle.

To validate and sanitize user input, we'll use middleware provided by the express-validator and sanitize-html libraries.

Using express-validator for Input Validation

express-validator is a popular library for validating and sanitizing user input in Express applications. Let's begin by installing it:

npm install express-validator

Basic Validation

Now, let's create a simple form to accept a username and email. Update your app.js file to include the following:

const express = require('express');
const { body, validationResult } = require('express-validator');
const app = express(); app.use(express.urlencoded({ extended: false })); app.post('/submit', [ body('username').isLength({ min: 5 }).withMessage('Username must be at least 5 characters long'), body('email').isEmail().withMessage('Email must be a valid email address'),
], (req, res) => { const errors = validationResult(req); if (!errors.isEmpty()) { return res.status(400).json({ errors: errors.array() }); } res.send('Form submitted successfully');
}); app.listen(3000, () => { console.log('Server listening on port 3000');
});

Here, we've imported the body function from express-validator, which we use to apply validation rules to the request body. The validationResult function is used to gather the results of the validation process. We've also added a new POST route for form submission, which includes an array of validation middleware.

In this example, we're using the isLength and isEmail validators to check if the username has a minimum length of 5 characters and if the email is in a valid format. We've also added custom error messages using the withMessage method.

When the form is submitted, the validation middleware processes the input and adds any errors to the errors object. If there are errors, we return a 400 Bad Request status and the error messages. If the validation is successful, we proceed with processing the submitted data.

Custom Validators

You can also create custom validators by providing a function to the body method. For example, let's create a custom validator to check if the username does not contain any numbers:

body('username').custom((value) => { if (/\d/.test(value)) { throw new Error('Username must not contain numbers'); } return true;
}),

Add this custom validator to the validation middleware array for the/submit route. Now, the form submission will be rejected if the username contains any numbers.

Using sanitize-html for Input Sanitization

sanitize-html is a popular library for sanitizing HTML input, which helps prevent XSS attacks. Start by installing the library:

npm install sanitize-html

Basic Sanitization

Now, let's create a simple form to accept a user's name and a comment. Update your app.js file to include the following:

const express = require('express');
const sanitizeHtml = require('sanitize-html');
const app = express(); app.use(express.urlencoded({ extended: false })); app.post('/comment', (req, res) => { const sanitizedComment = sanitizeHtml(req.body.comment); res.send(`Comment received: ${sanitizedComment}`);
}); app.listen(3000, () => { console.log('Server listening on port 3000');
});

In this example, we're using the sanitizeHtml function to clean any potentially harmful HTML from the user's comment before processing it. By default, sanitize-html removes any HTML tags that are not in its whitelist of allowed tags, preventing the execution of malicious scripts.

Custom Sanitization Options

You can customize the sanitization behavior by providing an options object to the sanitizeHtml function. For example, let's allow only basic text formatting tags and remove all attributes:

const sanitizeOptions = { allowedTags: ['b', 'i', 'em', 'strong', 'u'], allowedAttributes: {},
}; const sanitizedComment = sanitizeHtml(req.body.comment, sanitizeOptions);

By specifying the allowedTags and allowedAttributes options, we can control which HTML elements and attributes are allowed in the user's input.

Conclusion

In this article, we've explored the importance of validating and sanitizing user input in Node.js Express applications. We've demonstrated how to use express-validator for input validation and sanitize-html for input sanitization. By implementing these techniques, you can significantly improve the security and data consistency of your web applications.

And Finally

As always, I hope you enjoyed this article and got something new. Thank you and see you in the next articles!

If you liked this article, please give me a like and subscribe to support me. Thank you. 😊

Ref

Bình luận

Bài viết tương tự

- vừa được xem lúc

Cách mình "hack" được vào hẹ thống của SMAS để xem điểm.

Cách mà mình "hack" được vào hệ thống của SMAS. Thật ra dùng từ hack cũng không đúng lắm, chỉ là một vài trick để lừa hệ thống mà thôi.

0 0 145

- vừa được xem lúc

[NodeJs] Tạo QR Code trong nodeJs với qrcode

Tạo mã QR Code trong nodejs với qrcode. QR Code là gì. Tạo QR code với qrcode. Cài đặt thư viện qrcode.

0 0 34

- vừa được xem lúc

Áp dụng kiến trúc 3 Layer Architecture vào project NodeJS

The problem encountered. Các framework nodejs phổ biết như Express cho phép chúng ta dễ dàng tạo ra Resful API xử lí các request từ phía client một cách nhanh chóng và linh hoạt.

0 0 80

- vừa được xem lúc

Router, Controller trong Express

Mở đầu. Xin chào các bạn mình đã quay trở lại rồi đây, tiếp tục với series Nodejs cơ bản thì hôm nay mình sẽ giới thiệu đến các bạn Express Router và Controller.

0 0 40

- vừa được xem lúc

Xây dựng CRUD RESTful API sử dụng Node, Express, MongoDB.

Introduction. Trong phạm vi bài viết này chúng ta sẽ cùng tìm hiểu về cách tạo restful api với Node, Express và MongoDB. . Xử lý các hoạt động crud.

0 0 225

- vừa được xem lúc

Rate time limit trong NodeJS

Chào các bạn, lại là mình đây. Hôm nay mình xin giới thiệu tới các bạn một kỹ thuật rất hay ho và hữu ích đó là Rate Limiting. 1. Rate Limiting là gì.

0 0 62