How to Sanitize Input in Node.js: Simple and Safe Methods
To sanitize input in
Node.js, use libraries like validator or DOMPurify to clean and validate user data. This removes harmful characters and prevents injection attacks by ensuring input is safe before processing or storing.Syntax
Sanitizing input typically involves importing a sanitization library and applying its functions to user input strings.
For example, using the validator library, you can call validator.escape(input) to convert dangerous characters to safe HTML entities.
Each function targets specific risks like escaping HTML, trimming whitespace, or removing scripts.
javascript
import validator from 'validator'; const userInput = '<script>alert(1)</script>'; const safeInput = validator.escape(userInput); console.log(safeInput);
Output
<script>alert(1)</script>
Example
This example shows how to sanitize a user input string to prevent script injection by escaping HTML characters using the validator library.
javascript
import validator from 'validator'; function sanitizeInput(input) { return validator.escape(input); } const unsafeInput = '<img src=x onerror=alert(1) />'; const safeOutput = sanitizeInput(unsafeInput); console.log('Sanitized input:', safeOutput);
Output
Sanitized input: <img src=x onerror=alert(1) />
Common Pitfalls
- Not sanitizing input at all, which leaves your app vulnerable to injection attacks.
- Confusing validation with sanitization: validation checks if input is correct, sanitization cleans harmful parts.
- Using outdated or incomplete sanitization methods that miss some attack vectors.
- Sanitizing input multiple times can corrupt data.
Always sanitize input once before use and choose well-maintained libraries.
javascript
import validator from 'validator'; // Wrong: trusting input without sanitization const userInput = '<script>alert(1)</script>'; console.log('Unsafe output:', userInput); // Right: sanitize before use const safeInput = validator.escape(userInput); console.log('Safe output:', safeInput);
Output
Unsafe output: <script>alert(1)</script>
Safe output: <script>alert(1)</script>
Quick Reference
Here are common sanitization functions from the validator library:
| Function | Purpose |
|---|---|
| escape(input) | Converts HTML characters to safe entities |
| trim(input) | Removes whitespace from both ends |
| normalizeEmail(input) | Sanitizes and normalizes email addresses |
| stripLow(input) | Removes ASCII control characters |
| whitelist(input, chars) | Removes characters not in the whitelist |
Key Takeaways
Always sanitize user input to prevent security risks like injection attacks.
Use trusted libraries like validator for reliable sanitization functions.
Sanitization cleans harmful characters; validation checks input correctness.
Avoid sanitizing input multiple times to keep data intact.
Test sanitized output to ensure it behaves safely in your app.