使用Express-Validator清理Express中的输入
You’ve seen how to validate input that comes from the outside world to your Express app.
您已经了解了如何验证来自外部世界的输入到您的Express应用程序。
There’s one thing you quickly learn when you run a public-facing server: never trust the input.
运行面向公众的服务器时,您很快就会学到一件事:永远不要信任输入。
Even if you sanitize and make sure that people can’t enter weird things using client-side code, you’ll still be subject to people using tools (even just the browser devtools) to POST directly to your endpoints.
即使您进行了消毒并确保人们不能使用客户端代码输入怪异的东西,您仍然会受到使用工具(甚至只是浏览器devtools)直接发布到端点的人的约束。
Or bots trying every possible combination of exploit known to humans.
或者,机器人会尝试人类已知的各种利用方式。
What you need to do is sanitizing your input.
您需要做的是清理您的输入。
The express-validator package you already use to validate input can also conveniently used to perform sanitization.
您已经用于验证输入的express-validator包也可以方便地用于执行清理。
Say you have a POST endpoint that accepts the name, email and age parameters:
假设您有一个POST端点,可以接受名称,电子邮件和年龄参数:
const express = require('express')
const app = express()
app.use(express.json())
app.post('/form', (req, res) => {
const name = req.body.name
const email = req.body.email
const age = req.body.age
})You might validate it using:
您可以使用以下方法验证它:
const express = require('express')
const app = express()
app.use(express.json())
app.post('/form', [
check('name').isLength({ min: 3 }),
check('email').isEmail(),
check('age').isNumeric()
], (req, res) => {
const name = req.body.name
const email = req.body.email
const age = req.body.age
})You can add sanitization by piping the sanitization methods after the validation ones:
您可以通过在验证方法之后加入清理方法来添加清理:
app.post('/form', [
check('name').isLength({ min: 3 }).trim().escape(),
check('email').isEmail().normalizeEmail(),
check('age').isNumeric().trim().escape()
], (req, res) => {
//...
})Here I used the methods:
在这里,我使用了以下方法:
trim()trims characters (whitespace by default) at the beginning and at the end of a stringtrim()在字符串的开头和结尾处修剪字符(默认情况下为空白)escape()replaces<,>,&,',"and/with their corresponding HTML entitiesescape()用相应HTML实体替换<,>,&,',"和/normalizeEmail()canonicalizes an email address. Accepts several options to lowercase email addresses or subaddresses (e.g.flavio+newsletters@gmail.com)normalizeEmail()规范化电子邮件地址。 接受几个选项来将小写的电子邮件地址或子地址(例如flavio+newsletters@gmail.com)
Other sanitization methods:
其他消毒方法:
blacklist()remove characters that appear in the blacklistblacklist()删除出现在黑名单中的字符whitelist()remove characters that do not appear in the whitelistwhitelist()删除白名单中未出现的字符unescape()replaces HTML encoded entities with<,>,&,',"and/unescape()将HTML编码的实体替换为<,>,&,',"和/ltrim()like trim(), but only trims characters at the start of the stringltrim()类似于trim(),但仅修剪字符串开头的字符rtrim()like trim(), but only trims characters at the end of the stringrtrim()类似于trim(),但仅修剪字符串末尾的字符stripLow()remove ASCII control characters, which are normally invisiblestripLow()删除通常不可见的ASCII控制字符
Force conversion to a format:
强制转换为格式:
toBoolean()convert the input string to a boolean. Everything except for ‘0’, ‘false’ and “ returns true. In strict mode only ‘1’ and ‘true’ return truetoBoolean()将输入字符串转换为布尔值。 除“ 0”,“ false”和“”以外的所有内容均返回true。 在严格模式下,只有'1'和'true'返回truetoDate()convert the input string to a date, or null if the input is not a datetoDate()将输入字符串转换为日期,如果输入不是日期,则返回nulltoFloat()convert the input string to a float, or NaN if the input is not a floattoFloat()将输入字符串转换为浮点数;如果输入不是浮点数,则将其转换为NaNtoInt()convert the input string to an integer, or NaN if the input is not an integertoInt()将输入字符串转换为整数,如果输入不是整数,则将NaN转换为
Like with custom validators, you can create a custom sanitizer.
与自定义验证器一样,您可以创建自定义消毒剂。
In the callback function you just return the sanitized value:
在回调函数中,您只需返回已清理的值:
const sanitizeValue = value => {
//sanitize...
}
app.post('/form', [
check('value').customSanitizer(value => {
return sanitizeValue(value)
}),
], (req, res) => {
const value = req.body.value
})