8

I am building a web application in NodeJS with Express, Angular JS and Google App-Engine Datastore.

I am learning Node. I created a form that "sanitizes" (escapes) user input before inserting into the database. I followed the NodeJS tutorial on the MDN website to create this code:

//Trim and escape all inputs
req.sanitize('requester').escape();
req.sanitize('requester').trim();
req.sanitize('dataowner').escape();
req.sanitize('dataowner').trim();
req.sanitize('requested_filepath_list').escape();
req.sanitize('requested_filepath_list').trim();

The 'requested_filepath_list' is a list of UNIX file paths.

So when a user submits the request, it is stored in the database in the "Escaped" format.

//Escaped data
/top/example/test123.txt

Question: How can I "unescape" the data for display purposes?

//Desired output
/top/example/test123.txt

I tried the unescape function but it does not seem to work, it just returns the same output.

let escape_str = '/top/example/test123.txt';
let unescaped_str = unescape(escape_str);
console.log('unescaped_str: ' + unescaped_str);

//Output
unescaped_str: /top/example/test123.txt

//Desired output
/top/example/test123.txt
pengz
  • 2,279
  • 3
  • 48
  • 91
  • 1
    Why store escaped in the first place,?.. Store inside database as just normal text. – Keith Nov 01 '17 at 14:37
  • 1
    Interesting point but I thought it was better to store it escaped for security purposes. – pengz Nov 01 '17 at 15:25

2 Answers2

6

I was able to use the 'he' library to achieve this requirement.

Here's a post with the details: What's the right way to decode a string that has special HTML entities in it?

Here's the library. I was able to install it using npm install.

https://www.npmjs.com/package/he

Example solution:

const he = require('he');

let escape_str = '/top/example/test123.txt';

let unescaped_str = he.decode(escape_str);

console.log('unescaped_str ' + unescaped_str);
pengz
  • 2,279
  • 3
  • 48
  • 91
-1

You can try this :)

const querystring = require('querystring');
querystring.unescape(escape_str);
  • I installed the querystring module and tried those steps, however the string remains unchanged... const querystring = require('querystring'); let escape_str = '/top/example/test123.txt'; let unescaped_str = querystring.unescape(escape_str); console.log('unescaped_str ' + unescaped_str); output /top/example/test123.txt – pengz Nov 01 '17 at 22:05
  • Perhaps this only works on Node version 9.0. I am on Node 8.4.0. https://nodejs.org/api/querystring.html#querystring_querystring_unescape_str – pengz Nov 01 '17 at 22:09