JAVASCRIPT

Server-Side HTML Sanitization to Prevent XSS

Learn to sanitize untrusted HTML input on the server-side using the `xss` library in Node.js, effectively preventing Cross-Site Scripting (XSS) vulnerabilities.

const express = require('express');
const xss = require('xss');
const bodyParser = require('body-parser');

const app = express();
app.use(bodyParser.json());
app.use(bodyParser.urlencoded({ extended: true }));

// Custom XSS options (optional)
const xssOptions = {
  whiteList: {
    a: ['href', 'title', 'target'],
    p: [],
    strong: [],
    em: [],
    br: []
  },
  stripIgnoreTag: true, // remove all illegal tags
  stripIgnoreTagBody: ['script'] // remove content in script tags
};

app.post('/submit-comment', (req, res) => {
  const userInput = req.body.comment;
  // Sanitize user input before storing or displaying
  const safeComment = xss(userInput, xssOptions);

  // In a real application, you would store `safeComment` in a database
  // and display it to other users.
  console.log('Original Input:', userInput);
  console.log('Sanitized Output:', safeComment);

  res.json({
    message: 'Comment received and sanitized.',
    original: userInput,
    sanitized: safeComment
  });
});

app.get('/', (req, res) => {
  res.send(`
    <h1>Submit a Comment</h1>
    <form action="/submit-comment" method="POST">
      <textarea name="comment" rows="5" cols="50" placeholder="Enter your comment here..."></textarea><br>
      <button type="submit">Submit</button>
    </form>
    <p>Try submitting HTML like: &lt;script&gt;alert('XSS!');&lt;/script&gt;&lt;b&gt;Hello&lt;/b&gt;&lt;img src=x onerror=alert('Image XSS!')&gt;</p>
  `);
});

const PORT = 3000;
app.listen(PORT, () => {
  console.log(`Server running on http://localhost:${PORT}`);
});
How it works: This snippet demonstrates how to prevent Cross-Site Scripting (XSS) attacks by sanitizing user-provided HTML content on the server-side using the `xss` library in Node.js. It removes or escapes potentially malicious tags and attributes from input based on a configurable whitelist, ensuring that only safe HTML is stored or rendered. This protects your application and users from injected scripts that could steal data or deface content.

Related JAVASCRIPT Snippets

Need help integrating this into your project?

Our team of expert developers can help you build your custom application from scratch.

Hire DigitalCodeLabs