Why isn’t the express-validator `.escape()` method working as expected?

By
Aaron Garnes
-
0
2
Asked By CuriousCoder93 On

I'm using the express-validator middleware to sanitize input, but I'm having trouble with the `query.escape()` method. I followed the getting started tutorial from their site, which shows how to use it. Here's a piece of code I implemented:

```javascript
const express = require('express');
const { query, validationResult } = require('express-validator');
const app = express();

app.use(express.json());
app.get('/hello', query('person').notEmpty().escape(), (req, res) => {
const result = validationResult(req);
if (result.isEmpty()) {
return res.send(`Hello, ${req.query.person}!`);
}
res.send({ errors: result.array() });
});

app.listen(3000);
```

However, when I make a request to `http://localhost:3000/hello?person=John`, it still logs "Hello, John!" with "John" bolded, which is not the expected outcome. I've also tested with different scripts, and they execute as well. Can someone help me understand what's going wrong? Is there something incorrect in the express-validator documentation? You can look at the tutorial [here](https://express-validator.github.io/docs/guides/getting-started#sanitizing-inputs) for context.

2 Answers

Answered By TechieTina42 On

It looks like you're hitting a known issue with express-validator and Express 5 where the escape function doesn't always sanitize inputs as expected. There's been discussion about this on their GitHub page. You might want to check out what they say about it [here](https://github.com/express-validator/express-validator/issues/1325) for more context. Meanwhile, using additional security measures like a dedicated XSS protection library might be a good idea for any data coming from users! Let me know if that helps or if you have more questions!

Answered By SmartDev77 On

Just to add, you should also consider applying other methods of sanitization as the express-validator escape function isn't enough on its own, especially with XSS vulnerabilities in play. For example, using something like `encodeURIComponent` can offer an extra layer of security. And while client-side validation is a helpful first step, it’s vital to never trust user input completely, so always sanitize on the server side too!

Related Questions

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.