Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using escape sanitizer returns string for JSON input #1295

Closed
chidam02 opened this issue May 16, 2024 · 5 comments
Closed

Using escape sanitizer returns string for JSON input #1295

chidam02 opened this issue May 16, 2024 · 5 comments
Labels
i: bug

Comments

@chidam02
Copy link

Describe the bug

const app = express();
.....
app.use(express.json());

After this during validation/sanitization if 'escape()' is used on req.body then req.body is coverted to string and return rather than returning json which was provided as input.

To Reproduce

....
app.use(express.json());

//inside request handler
check(.**).escape().trim() //.** (glob to select every filed till left of a large json payload).

Expected behavior

After escaping html tags, should return the received input json as json rather than string

Current behavior

Environment:

  • Express-validator version: ^7.0.1
  • Express version: ^4.18.2
  • Node.js version: 20
@gustavohenke
Copy link
Member

Hey, can you

  1. recreate your code using https://runkit.com/gustavohenke/express-validator-issue-template, and
  2. provide examples of requests you are sending?

@chidam02
Copy link
Author

Thanks for replying.
Please find required details

         1. https://runkit.com/chidam02/66484103fded21000871b6c7
         2. `const req = {
                  body: {
                      info:{
                          name: 'Project_1'
                      },
                      requirement: {
                          xssInput: '<script scr="someRandom"></script>',
                          fruitQuantity: 5,
                          vegQuantity: 2,
                          isGross: true
                      }
                  },
                  cookies: {},
                  headers: {
                      'Content-Type': 'application/json'
                  },
                  query: {},
                  params: {},
                  query: {},
           };`

@gustavohenke
Copy link
Member

Is your concern that non-string inputs such as req.body.requirement.fruitQuantity are becoming string?

@chidam02
Copy link
Author

Totally yes.

Because of this, usage of app.use(express.json()) or bodyParser becomes void.

@gustavohenke
Copy link
Member

This is expected behaviour.
See here: https://express-validator.github.io/docs/guides/validation-chain#standard-validatorssanitizers

@gustavohenke gustavohenke closed this as not planned Won't fix, can't repro, duplicate, stale May 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
i: bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gustavohenke @chidam02