dongmi8980
dongmi8980
2012-01-10 15:42

nodejs过滤输入

已采纳

In PHP to filter inputs data I use functions htmlspecialchars and mysql_real_escape_string. Is there any functions like this in nodejs?

I need to check all inputs in my rounter functions to prevent hacker attacks like xss. Thanks!

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答

2条回答

  • doutui7955 doutui7955 9年前

    node-validator is the perfect library for this, it has many functions for both validation and sanitation / filtering, for example:

    entityDecode()                  //Decode HTML entities
    entityEncode()
    xss()                           //Remove common XSS attack vectors from text (default)
    xss(true)                       //Remove common XSS attack vectors from images
    

    or

    contains(str)
    notContains(str)
    regex(pattern, modifiers)       //Usage: regex(/[a-z]/i) or regex('[a-z]','i')
    notRegex(pattern, modifiers)
    len(min, max)                   //max is optional
    isUUID(version)                 //Version can be 3 or 4 or empty, see http://en.wikipedia.org/wiki/Universally_unique_identifier
    isDate()                        //Uses Date.parse() - regex is probably a better choice
    isAfter(date)                   //Argument is optional and defaults to today
    isBefore(date)                  //Argument is optional and defaults to today
    isIn(options)                   //Accepts an array or string
    
    点赞 评论 复制链接分享
  • douju1865 douju1865 9年前

    There is a NodeJS package for the Google Caja HTML sanitizer. Or you use the answer provided here:

    function escapeHtml(unsafe) {
      return unsafe
          .replace(/&/g, "&")
          .replace(/</g, "&lt;")
          .replace(/>/g, "&gt;")
          .replace(/"/g, "&quot;")
          .replace(/'/g, "&#039;");
    }
    

    For SQL it depends on what library you are using, but most of them will escape parameterized queries.

    点赞 评论 复制链接分享

为你推荐