Bird
Raised Fist0
Expressframework~10 mins

Sanitization methods in Express - Interactive Code Practice

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Practice - 5 Tasks
Answer the questions below
1fill in blank
easy

Complete the code to sanitize the input by trimming whitespace.

Express
const sanitizedInput = req.body.username.[1]();
Drag options to blanks, or click blank then click option'
Anormalize
Bescape
CtoLowerCase
Dtrim
Attempts:
3 left
💡 Hint
Common Mistakes
Using escape() instead of trim() removes HTML characters, not spaces.
normalize() changes Unicode forms, not whitespace.
toLowerCase() changes case, not whitespace.
2fill in blank
medium

Complete the code to escape HTML characters in the input.

Express
const safeInput = req.body.comment.[1]();
Drag options to blanks, or click blank then click option'
Aescape
Btrim
CtoUpperCase
Dslice
Attempts:
3 left
💡 Hint
Common Mistakes
Using trim() only removes spaces, not HTML characters.
toUpperCase() changes letter case, not safety.
slice() extracts parts of strings, no sanitization.
3fill in blank
hard

Fix the error in the sanitization chain to properly normalize and trim the input.

Express
const cleanInput = req.body.email.[1]().trim();
Drag options to blanks, or click blank then click option'
AtoLowerCase
Bescape
Cnormalize
Dslice
Attempts:
3 left
💡 Hint
Common Mistakes
Using escape() does not normalize Unicode.
toLowerCase() changes case but not normalization.
slice() does not sanitize or normalize.
4fill in blank
hard

Fill both blanks to sanitize input by trimming and escaping.

Express
const safeText = req.body.text.[1]().[2]();
Drag options to blanks, or click blank then click option'
Atrim
Bescape
CtoLowerCase
Dnormalize
Attempts:
3 left
💡 Hint
Common Mistakes
Reversing the order can cause issues.
Using toLowerCase does not sanitize input.
Normalize is not needed here.
5fill in blank
hard

Fill all three blanks to sanitize input by normalizing, trimming, and escaping.

Express
const finalInput = req.body.input.[1]().[2]().[3]();
Drag options to blanks, or click blank then click option'
Anormalize
Btrim
Cescape
DtoLowerCase
Attempts:
3 left
💡 Hint
Common Mistakes
Changing order can cause incorrect sanitization.
Using toLowerCase does not sanitize input.
Skipping normalization can cause Unicode issues.

Practice

(1/5)
1. What is the main purpose of sanitization methods in Express applications?
easy
A. To compress files before sending
B. To speed up server response time
C. To format dates and times
D. To clean user input and prevent security issues

Solution

  1. Step 1: Understand sanitization role

    Sanitization methods clean user input to remove harmful or unwanted characters.

  2. Step 2: Identify security purpose

    This cleaning helps prevent security problems like injection attacks.

  3. Final Answer:

    To clean user input and prevent security issues -> Option D

  4. Quick Check:

    Sanitization = Clean input for safety [OK]
Hint: Sanitization means cleaning input to keep safe [OK]
Common Mistakes:
  • Confusing sanitization with performance optimization
  • Thinking sanitization formats dates
  • Assuming sanitization compresses data
2. Which Express sanitizer method removes whitespace from both ends of a string?
easy
A. trim()
B. escape()
C. normalizeEmail()
D. toLowerCase()

Solution

  1. Step 1: Identify method purpose

    The trim() method removes spaces from the start and end of a string.

  2. Step 2: Compare other methods

    escape() converts special characters, normalizeEmail() formats emails, toLowerCase() changes case.

  3. Final Answer:

    trim() -> Option A

  4. Quick Check:

    Remove spaces = trim() [OK]
Hint: Trim cuts spaces at string ends [OK]
Common Mistakes:
  • Choosing escape() to remove spaces
  • Confusing normalizeEmail() with trimming
  • Using toLowerCase() for whitespace removal
3. What will be the output of this Express sanitizer code?
const { body, validationResult } = require('express-validator');

app.post('/submit', [
  body('email').normalizeEmail(),
  body('username').trim().escape()
], (req, res) => {
  const errors = validationResult(req);
  if (!errors.isEmpty()) {
    return res.status(400).json({ errors: errors.array() });
  }
  res.send({ email: req.body.email, username: req.body.username });
});

If the input is:
{ email: ' USER@Example.COM ', username: ' John ' }
medium
A. { email: 'USER@EXAMPLE.COM', username: 'John' }
B. { email: ' USER@Example.COM ', username: ' John ' }
C. { email: 'user@example.com', username: '<b>John</b>' }
D. { email: 'user@example.com', username: 'John' }

Solution

  1. Step 1: Apply normalizeEmail()

    This method lowercases and trims the email, so ' USER@Example.COM ' becomes 'user@example.com'.

  2. Step 2: Apply trim() and escape() on username

    Trim removes spaces around 'John', escape converts < and > to < and > to prevent HTML injection.

  3. Final Answer:

    { email: 'user@example.com', username: '<b>John</b>' } -> Option C

  4. Quick Check:

    Email normalized, username trimmed & escaped = { email: 'user@example.com', username: '<b>John</b>' } [OK]
Hint: Normalize email, trim and escape username [OK]
Common Mistakes:
  • Ignoring escape() effect on username
  • Not trimming email before normalization
  • Assuming username keeps HTML tags
4. Identify the error in this Express sanitization code snippet:
app.post('/data', (req, res) => {
  req.body.name = req.body.name.trim.escape();
  res.send(req.body.name);
});
medium
A. escape() is not a function on string directly
B. trim() should be called after escape()
C. Chaining trim and escape without parentheses is invalid
D. Missing middleware to parse req.body

Solution

  1. Step 1: Check method chaining on string

    JavaScript strings have trim() but not escape() method directly.

  2. Step 2: Understand escape() usage

    escape() is provided by express-validator or similar libraries, not native string method.

  3. Final Answer:

    escape() is not a function on string directly -> Option A

  4. Quick Check:

    escape() needs library, not string method [OK]
Hint: escape() is not a native string method [OK]
Common Mistakes:
  • Assuming escape() works on plain strings
  • Thinking trim() must come after escape()
  • Ignoring need for body parser middleware
5. You want to sanitize a user's profile input before saving to the database. The input includes email, username, and bio. Which combination of sanitization methods is best to ensure safe and clean data?
hard
A. Use trim() for all fields only
B. Use normalizeEmail() for email, trim() and escape() for username, and escape() for bio
C. Use escape() for email and username, no sanitization for bio
D. Use normalizeEmail() for email, no sanitization for username and bio

Solution

  1. Step 1: Sanitize email properly

    normalizeEmail() formats and cleans email addresses correctly.

  2. Step 2: Clean username and bio

    trim() removes extra spaces, escape() prevents harmful HTML or scripts in username and bio.

  3. Final Answer:

    Use normalizeEmail() for email, trim() and escape() for username, and escape() for bio -> Option B

  4. Quick Check:

    Proper sanitization per field = Use normalizeEmail() for email, trim() and escape() for username, and escape() for bio [OK]
Hint: Normalize email, trim and escape text fields [OK]
Common Mistakes:
  • Skipping escape() on bio allowing HTML injection
  • Using only trim() which doesn't prevent scripts
  • Not normalizing email causing inconsistent data