Advanced Middleware PatternsLesson 5.2
Input sanitization middleware — preventing injection attacks
XSS prevention, HTML entity encoding, SQL injection concept, input trimming, mongo injection, sanitize-html, express-validator sanitizers, req.body sanitization
Input Sanitization Middleware
Sanitization strips or escapes malicious content from user input before it reaches your business logic or database.
Simple sanitization middleware
function sanitizeBody(req, res, next) {
if (req.body && typeof req.body === 'object') {
req.body = deepSanitize(req.body);
}
next();
}
function deepSanitize(obj) {
if (typeof obj === 'string') {
return obj
.trim()
.replace(//g, '>')
.replace(/&/g, '&');
}
if (Array.isArray(obj)) return obj.map(deepSanitize);
if (obj && typeof obj === 'object') {
return Object.fromEntries(
Object.entries(obj).map(([k, v]) => [k, deepSanitize(v)])
);
}
return obj;
}
app.use(express.json());
app.use(sanitizeBody);Using express-validator for combined validation + sanitization
const { body, validationResult } = require('express-validator');
app.post('/comments',
body('text').trim().escape().isLength({ min: 1, max: 500 }),
body('author').trim().escape().notEmpty(),
(req, res) => {
const errors = validationResult(req);
if (!errors.isEmpty()) {
return res.status(400).json({ errors: errors.array() });
}
res.status(201).json(req.body);
}
);Install: npm install express-validator. The .escape() method HTML-encodes special characters. Always sanitize before validation, not after — validate the clean data.