Skip to content

AhmedAdelFahim/express-xss-sanitizer

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

53 Commits
lib
lib
 
 
test
test
 
 
.eslintignore
.eslintignore
 
 
.eslintrc.json
.eslintrc.json
 
 
.gitignore
.gitignore
 
 
.prettierrc
.prettierrc
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
index.js
index.js
 
 
package.json
package.json
 
 

Repository files navigation

Express XSS Sanitizer

Express 4.x and 5.x middleware which sanitizes user input data (in req.body, req.query, req.headers and req.params) to prevent Cross Site Scripting (XSS) attack.

Build Status Build Status Latest Stable Version License NPM Downloads NPM Downloads

Installation

$ npm install express-xss-sanitizer

Usage

Add as a piece of express middleware, before defining your routes.

const express = require('express');
const bodyParser = require('body-parser');
const { xss } = require('express-xss-sanitizer');

const app = express();

app.use(bodyParser.json({limit:'1kb'}));
app.use(bodyParser.urlencoded({extended: true, limit:'1kb'}));
app.use(xss());

You can add options to control max number of recursion at sanitization to prevent DOS attacks.

const options = {
   maxDepth: 50, // default 100
}

app.use(xss(options));

You can add options to specify allowed keys or allowed attributes to be skipped at sanitization

const options = {
   allowedKeys: ['name'],
   allowedAttributes: {
         input: ['value'],
   },
}

app.use(xss(options));

You can add options to specify allowed tags to sanitize it and remove other tags

const options = {
   allowedTags: ['h1']
}

app.use(xss(options));

Add as a piece of express middleware, before single route.

const express = require('express');
const bodyParser = require('body-parser');
const { xss } = require('express-xss-sanitizer');

const app = express();

app.use(bodyParser.json({limit:'1kb'}));
app.use(bodyParser.urlencoded({extended: true, limit:'1kb'}));
app.post("/body", xss(), function (req, res) {
      // your code
});

app.post("/test", function (req, res) {
      // your code
});

Note: if you adding xxs() as application level middleware, the xxs() will sanitize req.body, req.headers and req.query only and for req.params you must add xxs() as route level middleware like below example.

const express = require('express');
const bodyParser = require('body-parser');
const { xss } = require('express-xss-sanitizer');

const app = express();

app.use(bodyParser.json({limit:'1kb'}));
app.use(bodyParser.urlencoded({extended: true, limit:'1kb'}));
app.post("/params/:val", xss(), function (req, res) {
      // your code
});

You also can sanitize your data (object, array, string,etc) on the fly.

const { sanitize } = require('express-xss-sanitizer');

// ...
      data = sanitize(data)
// or
      data = sanitize(data, {allowedKeys: ['name']})
// ...

For other frameworks

Tests

To run the test suite, first install the dependencies, then run npm test:

$ npm install
$ npm test

Security

Reporting Vulnerabilities

Please report security issues to ahmedadelfahim@gmail.com

Security Updates

  • v2.0.1: Fixed unbounded recursion depth vulnerability (CVE-2025-59364)

Support

Feel free to open issues on github.

About

Express 4.x and 5.x middleware which sanitizes user input data (in req.body, req.query, req.headers and req.params) to prevent Cross Site Scripting (XSS) attack.

www.npmjs.com/package/express-xss-sanitizer

Topics

nodejs npm-package expressjs xss sanitizer

Resources

Readme

License

MIT license
Activity

Stars

29 stars

Watchers

1 watching

Forks

11 forks
Report repository

Releases 10

v2.0.2 Latest
Mar 25, 2026
+ 9 releases

Packages

 
 
 

Contributors

Languages