Merge pull request #100 from 100NikhilBro/enhancement/sanitize-html-57

archa8 · web-flow · commit 7492748037ad · 2025-10-10T01:22:00.000+05:30
Enhancement: Security Improvement Suggestion for HTML inputs #57
diff --git a/backend/middleware/sanitizeMiddleware.js b/backend/middleware/sanitizeMiddleware.js
@@ -0,0 +1,34 @@
+const sanitizeHtml = require('sanitize-html');
+
+const sanitize = (obj) => {
+  if (obj && typeof obj === 'object') {
+    for (const k of Object.keys(obj)) {
+      if (typeof obj[k] === 'string') {
+        obj[k] = sanitizeHtml(obj[k], {
+          allowedTags: [],
+          allowedAttributes: {},
+        });
+      } else if (obj[k] !== null && typeof obj[k] === 'object') {
+        sanitize(obj[k]);
+      }
+    }
+  }
+};
+
+exports.sanitizeMiddleware = () => {
+  return (req, res, next) => {
+    if (req.body) {
+      sanitize(req.body);
+    }
+
+    if (req.params) {
+      sanitize(req.params);
+    }
+
+    if (req.query) {
+      sanitize(req.query);
+    }
+
+    next();
+  };
+};
diff --git a/backend/package-lock.json b/backend/package-lock.json
diff --git a/backend/package.json b/backend/package.json
@@ -26,7 +26,8 @@
     "mongoose": "^8.18.1",
     "multer": "^2.0.2",
     "node-cron": "^4.2.1",
-    "papaparse": "^5.5.3"
+    "papaparse": "^5.5.3",
+    "sanitize-html": "^2.17.0"
   },
   "devDependencies": {
     "jest": "^29.7.0",
diff --git a/backend/server.js b/backend/server.js
@@ -7,6 +7,9 @@ const axios = require('axios');
 const cron = require('node-cron');
 require('./cron');
 
+// import the sanitizeMiddleware
+const { sanitizeMiddleware } = require("./middleware/sanitizeMiddleware")
+
 // Load environment variables
 dotenv.config();
 
@@ -21,7 +24,7 @@ const allowedOrigins = [
 ];
 
 app.use(cors({
-  origin: function (origin, callback) {
+  origin: function(origin, callback) {
     if (!origin || allowedOrigins.includes(origin)) {
       callback(null, true);
     } else {
@@ -32,6 +35,9 @@ app.use(cors({
 }));
 app.use(express.json());
 
+// sanitizeMiddleware
+app.use(sanitizeMiddleware());
+
 // Routes
 app.use('/api/auth', require('./routes/authRoutes'));
 app.use('/api/transactions', require('./routes/transactionRoutes'));
@@ -51,7 +57,7 @@ const PORT = process.env.PORT || 5000;
 
 const server = app.listen(PORT, () => console.log(`Server started on port ${PORT}`));
 
-cron.schedule("*/10 * * * *", async () => {
+cron.schedule("*/10 * * * *", async() => {
   const keepAliveUrl = process.env.KEEP_ALIVE_URL;
   if (!keepAliveUrl) {
     console.error(
