@apolitical/server 2.9.0 → 2.10.0-draco.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/CHANGELOG.md +9 -0
  2. package/package.json +3 -2
  3. package/src/config.js +9 -0
  4. package/src/container.js +2 -0
  5. package/src/helpers/request.helper.js +14 -4
package/CHANGELOG.md CHANGED
@@ -5,6 +5,15 @@ All notable changes to this project will be documented in this file.
5
5
  The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
6
6
  and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
7
7
 
8
+ ## [2.10.0] - 2023-04-24
9
+ ### Added
10
+ - `sanitiseInput` method to request helpers
11
+ - XSS package
12
+
13
+ ## [2.9.1] - 2023-01-31
14
+ ### Added
15
+ - Renovate config file
16
+
8
17
  ## [2.9.0] - 2023-01-10
9
18
  ### Changed
10
19
  - Bump dependencies to keep the project up-to-date
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@apolitical/server",
3
- "version": "2.9.0",
3
+ "version": "2.10.0-draco.0",
4
4
  "description": "Node.js module to encapsulate Apolitical's express server setup",
5
5
  "author": "Apolitical Group Limited <engineering@apolitical.co>",
6
6
  "license": "MIT",
@@ -45,7 +45,8 @@
45
45
  "passport-jwt": "4.0.1",
46
46
  "prerender-node": "3.5.0",
47
47
  "qs": "6.11.0",
48
- "swagger-ui-express": "4.6.0"
48
+ "swagger-ui-express": "4.6.0",
49
+ "xss": "1.0.14"
49
50
  },
50
51
  "devDependencies": {
51
52
  "@apolitical/eslint-config": "2.1.0",
package/src/config.js CHANGED
@@ -24,6 +24,15 @@ module.exports = {
24
24
  },
25
25
  DOCUMENTATION: '/docs/',
26
26
  },
27
+ HELPERS: {
28
+ SANITISATION: {
29
+ DEFAULT_XSS_OPTIONS: {
30
+ whiteList: {}, // Disable all HTML tags and attributes
31
+ stripIgnoreTag: true, // Remove any remaining HTML content
32
+ stripIgnoreTagBody: ['script'], // Remove script tags and their content
33
+ },
34
+ },
35
+ },
27
36
  MIDDLEWARES: {
28
37
  PERMISSIONS: {
29
38
  ADMIN_ROLE,
package/src/container.js CHANGED
@@ -21,6 +21,7 @@ const passportJwt = require('passport-jwt');
21
21
  const prerender = require('prerender-node');
22
22
  const qs = require('qs');
23
23
  const swaggerUi = require('swagger-ui-express');
24
+ const xss = require('xss');
24
25
  // Internal Modules
25
26
  const apoliticalLogger = require('@apolitical/logger');
26
27
  // Configuration
@@ -77,6 +78,7 @@ container.register({
77
78
  prerender: asValue(prerender),
78
79
  qs: asValue(qs),
79
80
  swaggerUi: asValue(swaggerUi),
81
+ xss: asValue(xss),
80
82
  // Internal Modules
81
83
  apoliticalLogger: asValue(apoliticalLogger),
82
84
  // Configuration
package/src/helpers/request.helper.js CHANGED
@@ -1,11 +1,16 @@
1
1
  'use strict';
2
2
 
3
3
  module.exports =
4
- ({ qs, jwtEncodeHelper, config }) =>
4
+ ({ qs, jwtEncodeHelper, config, xss }) =>
5
5
  ({ sessionSecret = null } = {}) => {
6
6
  const {
7
- APOLITICAL: { ISSUER, ADMIN_ROLE, COOKIE_KEY },
8
- } = config.JWT;
7
+ JWT: {
8
+ APOLITICAL: { ISSUER, ADMIN_ROLE, COOKIE_KEY },
9
+ },
10
+ HELPERS: {
11
+ SANITISATION: { DEFAULT_XSS_OPTIONS },
12
+ },
13
+ } = config;
9
14
 
10
15
  function generateAdminToken() {
11
16
  if (!sessionSecret) {
@@ -55,5 +60,10 @@ module.exports =
55
60
  return queryString ? `?${queryString}` : '';
56
61
  }
57
62
 
58
- return { buildOptions, buildQueryString };
63
+ function sanitiseInput(input = {}, options = DEFAULT_XSS_OPTIONS) {
64
+ const sanitizedInput = JSON.parse(xss(JSON.stringify(input), options));
65
+ return sanitizedInput || {};
66
+ }
67
+
68
+ return { buildOptions, buildQueryString, sanitiseInput };
59
69
  };