-
Notifications
You must be signed in to change notification settings - Fork 7
/
cleaner.js
76 lines (60 loc) · 2.55 KB
/
cleaner.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
var sanitizer = require('sanitizer'),
validator = require('validator');
// Express middleware for sanitization and validation
// of all request data.
// (c) 2014 Alex Greenland. MIT Licence.
module.exports = function() {
// Recursive cleaning function.
var cleanValue = function(value) {
if (Array.isArray(value)) {
// The value is an array. Clean each array element individually.
var cleanedArray = value.map(function(elem) {
// Recursive call.
return cleanValue(elem);
});
return cleanedArray;
} else {
// String (this is the base case), so sanitize then escape.
var cleaned = validator.escape(sanitizer.sanitize(value));
// Convert hex-encoded apostrophe to decimal-encoded apostrophe;
// convert escaped ampersand to name-encoded ampersand.
cleaned = cleaned.replace(/'/g, ''').replace(/&/g, '&');
return cleaned;
}
};
// Cleans a key and the key's value within an object.
var cleanObjectProperty = function(oldObject, newObject, key) {
var cleanedKey = cleanValue(key);
newObject[cleanedKey] = cleanValue(oldObject[key]);
return newObject;
}
// The cleaner must be called as soon as possible,
// and ensure before the router and impression/analytics handling.
return function(req, res, next) {
var newReqQuery = {};
var newReqBody = {};
// Clean the querystring.
if (req.query) {
Object.keys(req.query).forEach(function(item) {
newReqQuery = cleanObjectProperty(req.query, newReqQuery, item);
});
// Set the req.query object to the cleaned object
// so that it is passed on appropriately to next layer.
delete req.query;
req.query = newReqQuery;
}
// Clean the path.
req.path = cleanValue(req.path);
// Clean the body.
if (req.body) {
Object.keys(req.body).forEach(function(item) {
newReqBody = cleanObjectProperty(req.body, newReqBody, item);
});
// Set the req.body object to the cleaned object
// so that it is passed on appropriately to next layer.
delete req.body;
req.body = newReqBody;
}
next();
};
};