11

Do you guys know of a solid library/function in Javascript to clean user input.

Mainly for preventing XSS attacks and the sort.

It would be a plus if the said library had the option of allowing certain tags etc.

EDIT: I'm using node.js on the backend. That's why I need a javascript library for that sort of thing.

People are recommending a part of Google Caja here: Preventing XSS in Node.js / server side javascript

But I was just hoping to get more options.

Community
  • 1
  • 1
arnorhs
  • 10,383
  • 2
  • 35
  • 38
  • 3
    Personally, I think that input scrubbing should be done for semantic reasons, not security reasons. The family of XSS-like attacks are really an **output** problem, and you need to "protect" different output domains in different ways. Those security threats cannot really be solved at input time without potentially degrading your application functionality. – Pointy Jan 13 '11 at 21:33
  • That's a good point @Pointy - but you'd probably want do filter user input for multiple reasons. – arnorhs Jan 13 '11 at 21:41
  • @amorhs - yes, I think it's good to filter input for semantic reasons - phone numbers should look like phone numbers, etc. But sometimes there's no good reason to limit input (like "Comments" or "Notes" fields). Maybe a customer has a good reason to include "&" or "<" in their text. Some people have apostrophes or ampersands in their names! – Pointy Jan 13 '11 at 21:51

3 Answers3

13

I use node-validator by chriso.

Example

var check = require('validator').check,
    sanitize = require('validator').sanitize

// Validate
check('test@email.com').len(6, 64).isEmail();       //Methods are chainable
check('abc').isInt();                               //Throws 'Invalid integer'
check('abc', 'Please enter a number').isInt();      //Throws 'Please enter a number'
check('abcdefghijklmnopzrtsuvqxyz').is(/^[a-z]+$/);

// Sanitize / Filter
var int = sanitize('0123').toInt();                  //123
var bool = sanitize('true').toBoolean();             //true
var str = sanitize(' \s\t\r hello \n').trim();      //'hello'
var str = sanitize('aaaaaaaaab').ltrim('a');        //'b'
var str = sanitize(large_input_str).xss();
var str = sanitize('&lt;a&gt;').entityDecode();     //'<a>'
Baggz
  • 17,207
  • 4
  • 37
  • 25
  • 2
    It's important to note that as of v3 of validator.js, the xss() method is deprecated. Chris (the author of validator.js) is now recommending that people use Google's Caja library. More info can be found here: https://github.com/chriso/validator.js/commit/2d5d6999541add350fb396ef02dc42ca3215049e – Glen Selle Jun 27 '14 at 14:43
2

This is the equivalent of the PHP strip_tags function in Javascript. phpjs.org comes in handy for this kind of situations.

http://phpjs.org/functions/strip_tags:535

Jonathan Leffler
  • 730,956
  • 141
  • 904
  • 1,278
amosrivera
  • 26,114
  • 9
  • 67
  • 76
0

For this purpose I use DOMPurify, it is good enough and fast library. The examples below from official documentation.

DOMPurify.sanitize('<img src=x onerror=alert(1)//>'); // becomes <img src="x">

DOMPurify.sanitize('<svg><g/onload=alert(2)//<p>'); // becomes <svg><g></g></svg>

DOMPurify.sanitize('<p>abc<iframe/\/src=jAva&Tab;script:alert(3)>def'); // becomes <p>abcdef</p>

DOMPurify.sanitize('<math><mi//xlink:href="data:x,<script>alert(4)</script>">'); // becomes <math><mi></mi></math>

DOMPurify.sanitize('<TABLE><tr><td>HELLO</tr></TABL>'); // becomes <table><tbody><tr><td>HELLO</td></tr></tbody></table>

DOMPurify.sanitize('<UL><li><A HREF=//google.com>click</UL>'); // becomes <ul><li><a href="//google.com">click</a></li></ul>

You can find more by following this URL.

Gh111
  • 1,362
  • 18
  • 19