Javascript - How to sanitize api response server side?

grabury
June 26, 2023
165 views
0 votes
2 Answers

I have an Express Request Handler that takes a request, which includes user form input (email), makes a request to another one of my (trusted) endpoints (via newFunctionWithRequest), and then returns data from that new response (newResponse).

export const Handler = async (req: Request, res: Response, next: NextFunction) => {
  const { newResponse } = await newFunctionWithRequest(req)
  res.send(newResponse.data) // Snyk identifies this line as the problem
}

Snyk has identified a XSS vulnerability:

Unsanitized input from the HTTP request body flows into send, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS)

How can I fix this vulnerability?

Answers

- TonyB
- June 26, 2023 at 5:38 am
- 0 votes
0
DOMPurify works server-side or client-side.

I believe that is the sort of library you are looking for.

https://github.com/cure53/DOMPurify

Login or Signup to reply.

- Josh
- June 26, 2023 at 6:50 am
- 0 votes
0
I would recommend getting the specific elements from the request object req, and then passing them into the newFunctionWithRequest function. This means that the function is not receiving anything it isn’t expecting.

For example:
```
export const Handler = async (req: Request, res: Response, next: NextFunction) => {
    const { email, password } = req.body;
    const { newResponse } = await newFunctionWithRequest({ email, password });
    res.send(newResponse.data);
}
```
You could also validate that it is the correct type, and sanitise it too if you wanted.

Another option is you could use a library like Joi to validate your incoming requests.
Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.

Javascript – How to sanitize api response server side?

Answers