I’m asking this as I can’t seem to get a straight answer.
So, NestJS has a very elegant way of handling validation by using decorators. That is, you define DTO classes with properties you expect, and annotate them with class-validator decorators. For example, assume we have a route that accepts input from a contact form.
class ContactInfoDTO {
@IsString()
@IsNotEmpty()
name: string
@IsEmail()
email: string
@IsString()
@IsNotEmpty
subject: string
@IsString()
@IsNotEmpty()
body: string
}
This works great for validation. If I enter an invalid email, it will reject it as expected. But, here’s my question. What about input Sanitization? Say, for example, I enter a some JavaScript in the body parameter? Like, say, my body looks like this:
body: “Hello <script>//some malicious code here</script>”
Now, this is still accepted. Even though the script tags are not converted to HTML entities, which does pose a bit of a security risk.
So, my question is does NestJS have any kind of built-in Sanitization mechanisms? Is there proper documentation on this? Because I can’t really find any, despite this kind of thing being very important in the context of web development.
What’s the best practice for doing input Sanitization in NestJS?
I’m asking this as I can’t seem to get a straight answer.
So, NestJS has a very elegant way of handling validation by using decorators. That is, you define DTO classes with properties you expect, and annotate them with class-validator decorators. For example, assume we have a route that accepts input from a contact form.
class ContactInfoDTO {
@IsString()
@IsNotEmpty()
name: string
@IsEmail()
email: string
@IsString()
@IsNotEmpty
subject: string
@IsString()
@IsNotEmpty()
body: string
}
This works great for validation. If I enter an invalid email, it will reject it as expected. But, here’s my question. What about input Sanitization? Say, for example, I enter a some JavaScript in the body parameter? Like, say, my body looks like this:
body: “Hello <script>//some malicious code here</script>”
Now, this is still accepted. Even though the script tags are not converted to HTML entities, which does pose a bit of a security risk.
So, my question is does NestJS have any kind of built-in Sanitization mechanisms? Is there proper documentation on this? Because I can’t really find any, despite this kind of thing being very important in the context of web development.
What’s the best practice for doing input Sanitization in NestJS?
Share Improve this question asked Oct 12, 2020 at 7:30 Patrick LumenusPatrick Lumenus 1,7223 gold badges18 silver badges31 bronze badges3 Answers
Reset to default 11Use sanitize-html with Transform like this:
import { ApiProperty } from '@nestjs/swagger';
import { Transform } from 'class-transformer';
import { IsString } from 'class-validator';
import * as sanitizeHtml from 'sanitize-html';
export class ContactInfoDTO {
@ApiProperty()
@IsString()
@Transform((params: TransformFnParams) => sanitizeHtml(params.value))
public body: string;
}
Adding to Reza response this is an up to date version (cannot put in comment due to reputation)
import { Transform } from 'class-transformer';
import { IsString } from 'class-validator';
import * as sanitizeHtml from 'sanitize-html';
// ...
@Transform((params: TransformFnParams) => sanitizeHtml(params.value))
field: string
You could use the class-sanitizer library and apply its decorators to your model's properties:
class ContactInfoDTO {
@IsString()
@IsNotEmpty()
name: string
@IsEmail()
email: string
@IsString()
@IsNotEmpty
subject: string
@IsString()
@IsNotEmpty()
@Escape()
body: string
}