1

What is the best way to sanitize message content on the server side which is received from client as one of the query string parameters? This message is also meant to be resend to other connected clients so it have be secure in terms of code execution or injection (JavaScript or HTML) on server or client side.

asked Jan 30, 2011 at 21:05
6
  • 2
    What is your server-side technology? Javascript is purely client-side so the server-side sanitization is done in whatever programming language you are using at the server end. Example server-side languages would be PHP, Java etc Commented Jan 30, 2011 at 21:08
  • He's using node.js. nodejs.org Unfortunately I don't have enough knowledge to answer his question with that server-side technology. Commented Jan 30, 2011 at 21:11
  • 1
    What exactly are you trying to prevent by sanitizing the data? SQL injection? XSS? Commented Jan 30, 2011 at 21:24
  • 3
    This totally depends on what exactly is going to be done with the data, through what protocols it is going to be re-sent etc. There is no general answer for this. Commented Jan 30, 2011 at 21:31
  • @Matt Ball: Prevent XSS and server side code execution (don't know if it's possible in this case because node.js is JS code and you can send malicious JS code as a query string parameter to be executed on the server side). Commented Jan 30, 2011 at 21:34

2 Answers 2

2

To protect node.js against XSS I borrowed this from snippet jade:

/**
 * Escape the given string of `html`.
 *
 * @param {String} html
 * @return {String}
 * @api private
 */
function sanitize(html){
 return String(html)
 .replace(/&(?!\w+;)/g, '&')
 .replace(/</g, '&lt;')
 .replace(/>/g, '&gt;')
 .replace(/"/g, '&quot;');
}

P.S: You should always do proper server-side filtering

answered Jan 31, 2011 at 0:43
Sign up to request clarification or add additional context in comments.

Comments

2

You could use node-validator, it looks like a more comprehensive solution to the aboce snippet.

answered Feb 3, 2011 at 16:55

Comments

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.