https://huntr.dev/bounties/1-npm-sanitize

README.md

@@ -1,4 +1,7 @@
-# node-sanitize
+#(deprecated)!!! Use the sanitizer api 
+https://github.com/mikewest/sanitizer-playground
+
+# node-sanitize 
 Input sanitizing library for node.js
 
 # Summary
@@ -39,28 +42,32 @@ This will remove all keys from a plain object that are not `String`, `Integer`,
 ## Express Middleware
 
 ### req.headerInt(headerName: String): Integer
-### req.headerString(headerName: String): String
+### req.headerString(headerName: String): String htmlEscaped
+### req.headerStringRaw(headerName: String): String unEscaped
 ### req.headerFloat(headerName: String): Float
 ### req.headerEmail(headerName: String): String
 ### req.headerPattern(headerName: String, pattern: RegExp): String
 ### req.headerOneOf(headerName: String, arr: Array): String
 
 ### req.bodyInt(bodyParam: String): Integer
-### req.bodyString(bodyParam: String): String
+### req.bodyString(bodyParam: String): String htmlEscaped
+### req.bodyStringRaw(bodyParam: String): String unEscaped
 ### req.bodyFloat(bodyParam: String): Float
 ### req.bodyEmail(bodyParam: String): String
 ### req.bodyPattern(bodyParam: String, pattern: RegExp): String
 ### req.bodyOneOf(bodyName: String, arr: Array): String
 
 ### req.queryInt(queryParam: String): Integer
-### req.queryString(queryParam: String): String
+### req.queryString(queryParam: String): String htmlEscaped
+### req.queryStringRaw(queryParam: String): String unEscaped
 ### req.queryFloat(queryParam: String): Float
 ### req.queryEmail(queryParam: String): String
 ### req.queryPattern(queryParam: String, pattern: RegExp): String
 ### req.queryOneOf(queryName: String, arr: Array): String
 
 ### req.paramInt(paramName: String): Integer
-### req.paramString(paramName: String): String
+### req.paramString(paramName: String): String htmlEscaped
+### req.paramStringRaw(paramName: String): String unEscaped
 ### req.paramFloat(paramName: String): Float
 ### req.paramEmail(paramName: String): String
 ### req.paramPattern(paramName: String, pattern: RegExp): String

lib/Sanitizer.js

@@ -6,11 +6,11 @@
 
 var vtor = require('validator');
 var _ = require('lodash');
-
+var htmlEscape = require('./html_escape.js')
 class Sanitizer {
 
   bool(value) {
-    return _.isBoolean(value) ? value : vtor.toBoolean(value);
+    return (value) ? true : false;
   }
 
   float(value) {
@@ -57,12 +57,15 @@ class Sanitizer {
   }
 
   email(value) {
-    return vtor.isEmail(value) ? value : null;
+    return (value && vtor.isEmail(value)) ? value : null;
   }
 
   url(value) {
     var protocol;
     var options;
+    if (!value) {
+      return null
+    }
     if (_.isArray(value)) {
       protocol = value[1];
       options = {protocols: [protocol]};
@@ -88,6 +91,10 @@ class Sanitizer {
   }
 
   str(value) {
+    return !_.isNull(value) && !_.isUndefined(value) ? htmlEscape(value.toString()) : null;
+  }
+
+  strRaw(value) {
     return !_.isNull(value) && !_.isUndefined(value) ? value.toString() : null;
   }
 
@@ -158,4 +165,4 @@ function fixUrl(url, protocol) {
   }
 
   return null;
-}
+}

lib/html_escape.js

@@ -0,0 +1,46 @@
+/**
+ * Copyright (C) 2017-present by Andrea Giammarchi - @WebReflection
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+const {replace} = '';
+
+// escape
+const es = /&(?:amp|#38|lt|#60|gt|#62|apos|#39|quot|#34);/g;
+const ca = /[&<>'"]/g;
+
+const esca = {
+  '&': '&amp;',
+  '<': '&lt;',
+  '>': '&gt;',
+  "'": '&#39;',
+  '"': '&quot;'
+};
+const pe = m => esca[m];
+
+/**
+ * Safely escape HTML entities such as `&`, `<`, `>`, `"`, and `'`.
+ * @param {string} es the input to safely escape
+ * @returns {string} the escaped input, and it **throws** an error if
+ *  the input type is unexpected, except for boolean and numbers,
+ *  converted as string.
+ */
+const escape = es => replace.call(es, ca, pe);
+module.exports = escape;

lib/middleware.js

@@ -21,6 +21,7 @@ exports.mixinFilters = function mixinFilters(req) {
   req.headerFloat = createSanitizeFloat.call(req, 'headers');
   req.headerEmail = createSanitizeFunc.call(req, 'headers', 'email');
   req.headerString = createSanitizeFunc.call(req, 'headers', 'str');
+  req.headerStringRaw = createSanitizeFunc.call(req, 'headers', 'strRaw');
   req.headerPattern = createSanitizePattern.call(req, 'headers');
   req.headerOneOf = createSanitizeOneOf.call(req, 'headers');
 
@@ -29,6 +30,7 @@ exports.mixinFilters = function mixinFilters(req) {
   req.bodyFloat = createSanitizeFloat.call(req, 'body');
   req.bodyEmail = createSanitizeFunc.call(req, 'body', 'email');
   req.bodyString = createSanitizeFunc.call(req, 'body', 'str');
+  req.bodyStringRaw = createSanitizeFunc.call(req, 'body', 'strRaw');
   req.bodyPattern = createSanitizePattern.call(req, 'body');
   req.bodyArray = createSanitizeArray.call(req, 'body');
   req.bodyJson = function() {
@@ -44,6 +46,7 @@ exports.mixinFilters = function mixinFilters(req) {
   req.queryFloat = createSanitizeFloat.call(req, 'query');
   req.queryEmail = createSanitizeFunc.call(req, 'query', 'email');
   req.queryString = createSanitizeFunc.call(req, 'query', 'str');
+  req.queryStringRaw = createSanitizeFunc.call(req, 'query', 'strRaw');
   req.queryPattern = createSanitizePattern.call(req, 'query');
   req.queryArray = createSanitizeArray.call(req, 'query');
   req.queryOneOf = createSanitizeOneOf.call(req, 'query');
@@ -53,6 +56,7 @@ exports.mixinFilters = function mixinFilters(req) {
   req.paramFloat = createSanitizeFloat.call(req, 'params');
   req.paramEmail = createSanitizeFunc.call(req, 'params', 'email');
   req.paramString = createSanitizeFunc.call(req, 'params', 'str');
+  req.paramStringRaw = createSanitizeFunc.call(req, 'params', 'strRaw');
   req.paramPattern = createSanitizePattern.call(req, 'params');
   req.paramOneOf = createSanitizeOneOf.call(req, 'params');
 };

package.json

@@ -1,6 +1,6 @@
 {
   "name": "sanitize",
-  "version": "2.1.0",
+  "version": "2.1.1",
   "description": "Input sanitizing library for node.js",
   "main": "lib/sanitize.js",
   "scripts": {
@@ -25,11 +25,11 @@
     "registry": "https://registry.npmjs.org"
   },
   "devDependencies": {
-    "mocha": "^2.1.0",
-    "should": "^4.6.0"
+    "mocha": "^8.3.2",
+    "should": "^13.2.3"
   },
   "dependencies": {
-    "lodash": "^4.17.0",
-    "validator": "^3.33.0"
+    "lodash": "^4.17.21",
+    "validator": "^13.5.2"
   }
 }