@opengis/fastify-table 1.0.73 → 1.0.75

package/cron/funcs/addCron.js

@@ -1,131 +1,131 @@
-import { createHash } from 'crypto';
-
-import cronList from '../controllers/utils/cronList.js';
-import getRedis from '../../redis/funcs/getRedis.js';
-import getPG from '../../pg/funcs/getPG.js';
-
-const md5 = (string) => createHash('md5').update(string).digest('hex');
-
-async function verifyUnique(name, config, rclient) {
-  const cronId = config.port || 3000 + md5(name);
-  // one per node check
-  const key = `cron:unique:${cronId}`;
-  const unique = await rclient.setnx(key, 1);
-  const ttl = await rclient.ttl(key);
-  if (!unique && ttl !== -1) {
-    return false;
-  }
-  await rclient.expire(key, 20);
-  return true;
-}
-
-const intervalStringMs = {
-  everyMin: 1000 * 60,
-  tenMin: 1000 * 60 * 10,
-  everyHour: 1000 * 60 * 60,
-  isHalfday: 1000 * 60 * 60 * 12,
-  dailyHour: 1000 * 60 * 60 * 24,
-};
-
-const interval2ms = {
-  string: (interval) => {
-    const date = new Date();
-    const intervarSplit = interval.match(/^(\*{2}|(\*)?(\d{1,2})):(\*(\d)|(\d{2}))/);
-    if (!intervarSplit) {
-      throw new Error(`interval ${interval} not suported`);
-    }
-    const [, , isHalfday, dailyHour, , tenMin, HourlyMin] = intervarSplit;
-    const intervalMs = (isHalfday && intervalStringMs.isHalfday)
-      || (dailyHour && intervalStringMs.dailyHour)
-      || (tenMin && intervalStringMs.tenMin)
-      || intervalStringMs.everyHour;
-    const offsetDay = ((+dailyHour || 0) * 60 + (+tenMin || +HourlyMin)) * 60 * 1000;
-    const offsetCur = (date - date.getTimezoneOffset() * 1000 * 60) % intervalMs;
-    const waitMs = (offsetDay - offsetCur + intervalMs) % intervalMs;
-    return [waitMs, intervalMs];
-  },
-  number: (interval) => {
-    const date = new Date();
-    const intervalMs = interval * 1000;
-    const dateWithTZ = date - date.getTimezoneOffset() * 1000 * 60;
-    const offsetCur = dateWithTZ % intervalMs;
-    // start every cron within 1 hour
-    const sixtyMinutesStartMs = 3600000;
-    const waitMs = (intervalMs - offsetCur) % sixtyMinutesStartMs;
-    return [waitMs, intervalMs];
-  },
-};
-
-async function runCron({
-  pg, funcs, func, name, rclient, log,
-}) {
-  const unique = await verifyUnique(name, funcs.config, rclient);
-
-  if (!unique) return;
-  const db = pg.options.database;
-  log.debug(`cron.${name}`, 1, db);
-  try {
-    const data = await func({ pg, funcs, log });
-    log.debug('cron', { db, name, result: data });
-    log.info('cron', { db, name, result: data });
-  }
-  catch (err) {
-    log.debug('cron', { db, name, error: err.toString() });
-    log.error('cron', { db, name, error: err.toString() });
-  }
-}
-
-/**
- * interval:
- * -   02:54 - every day
- * -    2:03 - every day
- * -   *1:43 - 2 times a day
- * -  *12:03 - 2 times a day
- * -   **:54 - every hour
- * -   **:*3 - every 10 minutes
- * -      60 - every minute
- * - 10 * 60 - every 10 minutes
- */
-
-export default async function addCron(func, interval, fastify) {
-  if (!fastify) {
-    throw new Error('not enough params: fastify');
-  }
-
-  const { config = {}, log } = fastify;
-  const { time = {}, disabled = [] } = config.cron || {};
-  const pg = getPG();
-  const rclient = getRedis();
-
-  const name = func.name || func.toString().split('/').at(-1).split('\'')[0];
-
-  // if (!config.isServer) return;
-
-  if (disabled.includes(name)) {
-    log.debug('cron', { name, message: 'cron disabled' });
-    return;
-  }
-
-  cronList[name] = func;
-
-  const userInterval = time[name] || interval;
-  const [waitMs, intervalMs] = interval2ms[typeof interval](userInterval);
-
-  if (intervalMs < 1000) {
-    log.warn('cron', { name, error: `interval ${interval} to small` });
-    return;
-  }
-
-  // setTimeout to w8 for the time to start
-  setTimeout(() => {
-    runCron({
-      pg, funcs: fastify, func, name, rclient, log,
-    });
-    // interval
-    setInterval(() => {
-      runCron({
-        pg, funcs: fastify, func, name, rclient, log,
-      });
-    }, intervalMs);
-  }, waitMs);
-}
+import { createHash } from 'crypto';
+
+import cronList from '../controllers/utils/cronList.js';
+import getRedis from '../../redis/funcs/getRedis.js';
+import getPG from '../../pg/funcs/getPG.js';
+
+const md5 = (string) => createHash('md5').update(string).digest('hex');
+
+async function verifyUnique(name, config, rclient) {
+  const cronId = config.port || 3000 + md5(name);
+  // one per node check
+  const key = `cron:unique:${cronId}`;
+  const unique = await rclient.setnx(key, 1);
+  const ttl = await rclient.ttl(key);
+  if (!unique && ttl !== -1) {
+    return false;
+  }
+  await rclient.expire(key, 20);
+  return true;
+}
+
+const intervalStringMs = {
+  everyMin: 1000 * 60,
+  tenMin: 1000 * 60 * 10,
+  everyHour: 1000 * 60 * 60,
+  isHalfday: 1000 * 60 * 60 * 12,
+  dailyHour: 1000 * 60 * 60 * 24,
+};
+
+const interval2ms = {
+  string: (interval) => {
+    const date = new Date();
+    const intervarSplit = interval.match(/^(\*{2}|(\*)?(\d{1,2})):(\*(\d)|(\d{2}))/);
+    if (!intervarSplit) {
+      throw new Error(`interval ${interval} not suported`);
+    }
+    const [, , isHalfday, dailyHour, , tenMin, HourlyMin] = intervarSplit;
+    const intervalMs = (isHalfday && intervalStringMs.isHalfday)
+      || (dailyHour && intervalStringMs.dailyHour)
+      || (tenMin && intervalStringMs.tenMin)
+      || intervalStringMs.everyHour;
+    const offsetDay = ((+dailyHour || 0) * 60 + (+tenMin || +HourlyMin)) * 60 * 1000;
+    const offsetCur = (date - date.getTimezoneOffset() * 1000 * 60) % intervalMs;
+    const waitMs = (offsetDay - offsetCur + intervalMs) % intervalMs;
+    return [waitMs, intervalMs];
+  },
+  number: (interval) => {
+    const date = new Date();
+    const intervalMs = interval * 1000;
+    const dateWithTZ = date - date.getTimezoneOffset() * 1000 * 60;
+    const offsetCur = dateWithTZ % intervalMs;
+    // start every cron within 1 hour
+    const sixtyMinutesStartMs = 3600000;
+    const waitMs = (intervalMs - offsetCur) % sixtyMinutesStartMs;
+    return [waitMs, intervalMs];
+  },
+};
+
+async function runCron({
+  pg, funcs, func, name, rclient, log,
+}) {
+  const unique = await verifyUnique(name, funcs.config, rclient);
+
+  if (!unique) return;
+  const db = pg.options.database;
+  log.debug(`cron.${name}`, 1, db);
+  try {
+    const data = await func({ pg, funcs, log });
+    log.debug('cron', { db, name, result: data });
+    log.info('cron', { db, name, result: data });
+  }
+  catch (err) {
+    log.debug('cron', { db, name, error: err.toString() });
+    log.error('cron', { db, name, error: err.toString() });
+  }
+}
+
+/**
+ * interval:
+ * -   02:54 - every day
+ * -    2:03 - every day
+ * -   *1:43 - 2 times a day
+ * -  *12:03 - 2 times a day
+ * -   **:54 - every hour
+ * -   **:*3 - every 10 minutes
+ * -      60 - every minute
+ * - 10 * 60 - every 10 minutes
+ */
+
+export default async function addCron(func, interval, fastify) {
+  if (!fastify) {
+    throw new Error('not enough params: fastify');
+  }
+
+  const { config = {}, log } = fastify;
+  const { time = {}, disabled = [] } = config.cron || {};
+  const pg = getPG();
+  const rclient = getRedis();
+
+  const name = func.name || func.toString().split('/').at(-1).split('\'')[0];
+
+  // if (!config.isServer) return;
+
+  if (disabled.includes(name)) {
+    log.debug('cron', { name, message: 'cron disabled' });
+    return;
+  }
+
+  cronList[name] = func;
+
+  const userInterval = time[name] || interval;
+  const [waitMs, intervalMs] = interval2ms[typeof interval](userInterval);
+
+  if (intervalMs < 1000) {
+    log.warn('cron', { name, error: `interval ${interval} to small` });
+    return;
+  }
+
+  // setTimeout to w8 for the time to start
+  setTimeout(() => {
+    runCron({
+      pg, funcs: fastify, func, name, rclient, log,
+    });
+    // interval
+    setInterval(() => {
+      runCron({
+        pg, funcs: fastify, func, name, rclient, log,
+      });
+    }, intervalMs);
+  }, waitMs);
+}

package/cron/index.js

@@ -1,10 +1,10 @@
-import cronApi from './controllers/cronApi.js';
-import addCron from './funcs/addCron.js';
-
-async function plugin(fastify, config = {}) {
-  const prefix = config.prefix || '/api';
-  fastify.decorate('addCron', addCron);
-  fastify.get(`${prefix}/cron/:name`, {}, cronApi);
-}
-
-export default plugin;
+import cronApi from './controllers/cronApi.js';
+import addCron from './funcs/addCron.js';
+
+async function plugin(fastify, config = {}) {
+  const prefix = config.prefix || '/api';
+  fastify.decorate('addCron', addCron);
+  fastify.get(`${prefix}/cron/:name`, {}, cronApi);
+}
+
+export default plugin;

package/crud/controllers/deleteCrud.js

@@ -1,14 +1,19 @@
-import dataDelete from '../funcs/dataDelete.js';
-import getTemplate from '../../table/controllers/utils/getTemplate.js';
-
-export default async function deleteCrud(req) {
-  const loadTemplate = await getTemplate('table', req.opt?.table || req.params.table);
-  const { table } = loadTemplate || req.opt || req.params || {};
-  const { id } = req.opt || req.params || {};
-
-  if (!table) return { status: 404, message: 'table is required' };
-
-  const data = await dataDelete({ table, id });
-
-  return { rowCount: data.rowCount, msg: !data.rowCount ? data : null };
-}
+import dataDelete from '../funcs/dataDelete.js';
+import getTemplate from '../../table/controllers/utils/getTemplate.js';
+import getAccess from '../funcs/getAccess.js';
+
+export default async function deleteCrud(req) {
+  const { actions = [], scope, my } = await getAccess(req, req.params.table, req.params.id) || {};
+  if (!actions.includes('del') || (scope === 'my' && !my)) {
+    return { message: 'access restricted', status: 403 };
+  }
+  const loadTemplate = await getTemplate('table', req.opt?.table || req.params.table);
+  const { table } = loadTemplate || req.opt || req.params || {};
+  const { id } = req.opt || req.params || {};
+
+  if (!table) return { status: 404, message: 'table is required' };
+
+  const data = await dataDelete({ table, id });
+
+  return { rowCount: data.rowCount, msg: !data.rowCount ? data : null };
+}

package/crud/controllers/insert.js

@@ -1,48 +1,54 @@
-import dataInsert from '../funcs/dataInsert.js';
-import getToken from '../funcs/getToken.js';
-import checkXSS from './utils/checkXSS.js';
-import getTemplate from '../../table/controllers/utils/getTemplate.js';
-
-export default async function insert(req) {
-  if (!req.params?.table) {
-    return { message: 'table is required', status: 400 };
-  }
-  const loadTemplate = await getTemplate('table', req.params.table);
-  const { table, public: ispublic } = loadTemplate || req.params || {};
-  if (!table) {
-    return { message: 'table not found', status: 404 };
-  }
-
-  const { funcs = {}, user = {}, params = {} } = req;
-  const uid = funcs.config?.auth?.disable || ispublic ? '1' : user.uid;
-  const tokenDataString = await getToken({
-    funcs, uid, token: params.table, mode: 'a', json: 0,
-  });
-
-  const { form, add } = JSON.parse(tokenDataString || '{}');
-
-  const formData = form || loadTemplate?.form ? (await getTemplate('form', form || loadTemplate?.form) || {}) : {};
-
-  const xssCheck = checkXSS({ body: req.body, schema: formData?.schema });
-
-  if (xssCheck.error && formData?.xssCheck !== false) {
-    req.log.warn({ name: 'injection/xss', msg: xssCheck.error, table }, req);
-    return { message: 'Дані містять заборонені символи. Приберіть їх та спробуйте ще раз', status: 409 };
-  }
-
-  const res = await dataInsert({ table: add || table, data: req.body });
-
-  const extraKeys = Object.keys(formData)?.filter((key) => formData?.[key]?.type === 'DataTable' && formData?.[key]?.table && formData?.[key]?.parent_id && req.body[key].length);
-  if (extraKeys?.length) {
-    res.extra = {};
-    await Promise.all(extraKeys?.map(async (key) => {
-      const extraRows = await Promise.all(req.body[key].map(async (row) => {
-        const extraRes = await dataInsert({ table: formData[key].table, data: { ...row, [formData[key].parent_id]: req.body[formData[key].parent_id] } });
-        return extraRes?.rows?.[0];
-      }));
-      Object.assign(res.extra, { [key]: extraRows.filter((el) => el) });
-    }));
-  }
-
-  return { rows: res.rows, extra: res.extra };
-}
+import dataInsert from '../funcs/dataInsert.js';
+import getToken from '../funcs/getToken.js';
+import checkXSS from './utils/checkXSS.js';
+import getTemplate from '../../table/controllers/utils/getTemplate.js';
+import getAccess from '../funcs/getAccess.js';
+
+export default async function insert(req) {
+  const { actions = [] } = await getAccess(req, req.params.table) || {};
+  if (!actions.includes('edit')) {
+    return { message: 'access restricted', status: 403 };
+  }
+  if (!req.params?.table) {
+    return { message: 'table is required', status: 400 };
+  }
+  const loadTemplate = await getTemplate('table', req.params.table);
+  const { table, public: ispublic } = loadTemplate || req.params || {};
+  if (!table) {
+    return { message: 'table not found', status: 404 };
+  }
+
+  const { funcs = {}, user = {}, params = {} } = req;
+  const tokenDataString = await getToken({
+    funcs, uid: user.uid, token: params.table, mode: 'a', json: 0,
+  });
+
+  const { form, add } = JSON.parse(tokenDataString || '{}');
+
+  const formData = form || loadTemplate?.form ? (await getTemplate('form', form || loadTemplate?.form) || {}) : {};
+
+  const xssCheck = checkXSS({ body: req.body, schema: formData?.schema });
+
+  if (xssCheck.error && formData?.xssCheck !== false) {
+    req.log.warn({ name: 'injection/xss', msg: xssCheck.error, table }, req);
+    return { message: 'Дані містять заборонені символи. Приберіть їх та спробуйте ще раз', status: 409 };
+  }
+
+  const { uid } = funcs.config?.auth?.disable || ispublic ? { uid: '1' } : user || {};
+  Object.assign(req.body, { uid, editor_id: uid });
+  const res = await dataInsert({ table: add || table, data: req.body });
+
+  const extraKeys = Object.keys(formData)?.filter((key) => formData?.[key]?.type === 'DataTable' && formData?.[key]?.table && formData?.[key]?.parent_id && req.body[key].length);
+  if (extraKeys?.length) {
+    res.extra = {};
+    await Promise.all(extraKeys?.map(async (key) => {
+      const extraRows = await Promise.all(req.body[key].map(async (row) => {
+        const extraRes = await dataInsert({ table: formData[key].table, data: { ...row, [formData[key].parent_id]: req.body[formData[key].parent_id] } });
+        return extraRes?.rows?.[0];
+      }));
+      Object.assign(res.extra, { [key]: extraRows.filter((el) => el) });
+    }));
+  }
+
+  return { rows: res.rows, extra: res.extra };
+}

package/crud/controllers/update.js

@@ -1,54 +1,59 @@
-import dataUpdate from '../funcs/dataUpdate.js';
-import dataInsert from '../funcs/dataInsert.js';
-import pgClients from '../../pg/pgClients.js';
-import getToken from '../funcs/getToken.js';
-import checkXSS from './utils/checkXSS.js';
-import getTemplate from '../../table/controllers/utils/getTemplate.js';
-
-export default async function update(req) {
-  if (!req.params?.table) {
-    return { message: 'table is required', status: 400 };
-  }
-  if (!req.params?.id) {
-    return { message: 'id is required', status: 404 };
-  }
-  const loadTemplate = await getTemplate('table', req.params.table);
-  const { table, public: ispublic } = loadTemplate || req.params || {};
-  const { id } = req.params || {};
-
-  const { funcs = {}, user = {}, params = {} } = req;
-  const uid = funcs.config?.auth?.disable || ispublic ? '1' : user.uid;
-  const tokenDataString = await getToken({
-    funcs, uid, token: params.table, mode: 'w', json: 0,
-  });
-
-  const tokenData = JSON.parse(tokenDataString || '{}');
-
-  const formData = tokenData?.form || loadTemplate?.form ? await getTemplate('form', tokenData.form || loadTemplate?.form) : {};
-
-  const xssCheck = checkXSS({ body: req.body, schema: formData?.schema });
-
-  if (xssCheck.error && formData?.xssCheck !== false) {
-    req.log.warn({ name: 'injection/xss', msg: xssCheck.error, table }, req);
-    return { message: 'Дані містять заборонені символи. Приберіть їх та спробуйте ще раз', status: 409 };
-  }
-
-  const res = await dataUpdate({ table: tokenData?.table || table, id: tokenData?.id || id, data: req.body });
-
-  const extraKeys = Object.keys(formData)?.filter((key) => formData?.[key]?.type === 'DataTable' && formData?.[key]?.table && formData?.[key]?.parent_id && req.body[key].length);
-  if (extraKeys?.length) {
-    res.extra = {};
-    await Promise.all(extraKeys?.map(async (key) => {
-      // delete old extra data
-      await pgClients.client.query(`delete from ${formData[key].table} where ${formData[key].parent_id}=$1`, [req.body[formData[key].parent_id]]);
-      // insert new extra data
-      const extraRows = await Promise.all(req.body[key].map(async (row) => {
-        const extraRes = await dataInsert({ table: formData[key].table, data: { ...row, [formData[key].parent_id]: req.body[formData[key].parent_id] } });
-        return extraRes?.rows?.[0];
-      }));
-      Object.assign(res.extra, { [key]: extraRows.filter((el) => el) });
-    }));
-  }
-
-  return res;
-}
+import dataUpdate from '../funcs/dataUpdate.js';
+import dataInsert from '../funcs/dataInsert.js';
+import pgClients from '../../pg/pgClients.js';
+import getToken from '../funcs/getToken.js';
+import checkXSS from './utils/checkXSS.js';
+import getTemplate from '../../table/controllers/utils/getTemplate.js';
+import getAccess from '../funcs/getAccess.js';
+
+export default async function update(req) {
+  const { actions = [], scope, my } = await getAccess(req, req.params.table, req.params.id) || {};
+  if (!actions.includes('edit') || (scope === 'my' && !my)) {
+    return { message: 'access restricted', status: 403 };
+  }
+  if (!req.params?.table) {
+    return { message: 'table is required', status: 400 };
+  }
+  if (!req.params?.id) {
+    return { message: 'id is required', status: 404 };
+  }
+  const loadTemplate = await getTemplate('table', req.params.table);
+  const { table, public: ispublic } = loadTemplate || req.params || {};
+  const { id } = req.params || {};
+
+  const { funcs = {}, user = {}, params = {} } = req;
+  const uid = funcs.config?.auth?.disable || ispublic ? '1' : user.uid;
+  const tokenDataString = await getToken({
+    funcs, uid, token: params.table, mode: 'w', json: 0,
+  });
+
+  const tokenData = JSON.parse(tokenDataString || '{}');
+
+  const formData = tokenData?.form || loadTemplate?.form ? await getTemplate('form', tokenData.form || loadTemplate?.form) : {};
+
+  const xssCheck = checkXSS({ body: req.body, schema: formData?.schema });
+
+  if (xssCheck.error && formData?.xssCheck !== false) {
+    req.log.warn({ name: 'injection/xss', msg: xssCheck.error, table }, req);
+    return { message: 'Дані містять заборонені символи. Приберіть їх та спробуйте ще раз', status: 409 };
+  }
+
+  const res = await dataUpdate({ table: tokenData?.table || table, id: tokenData?.id || id, data: req.body });
+
+  const extraKeys = Object.keys(formData)?.filter((key) => formData?.[key]?.type === 'DataTable' && formData?.[key]?.table && formData?.[key]?.parent_id && req.body[key].length);
+  if (extraKeys?.length) {
+    res.extra = {};
+    await Promise.all(extraKeys?.map(async (key) => {
+      // delete old extra data
+      await pgClients.client.query(`delete from ${formData[key].table} where ${formData[key].parent_id}=$1`, [req.body[formData[key].parent_id]]);
+      // insert new extra data
+      const extraRows = await Promise.all(req.body[key].map(async (row) => {
+        const extraRes = await dataInsert({ table: formData[key].table, data: { ...row, [formData[key].parent_id]: req.body[formData[key].parent_id] } });
+        return extraRes?.rows?.[0];
+      }));
+      Object.assign(res.extra, { [key]: extraRows.filter((el) => el) });
+    }));
+  }
+
+  return res;
+}

package/crud/controllers/utils/checkXSS.js

@@ -1,45 +1,45 @@
-/* import sqlInjection from '../../../policy/funcs/sqlInjection.js'; */
-import xssInjection from './xssInjection.js';
-
-/* const checkList = xssInjection.concat(sqlInjection); */
-
-// RTE - rich text editor
-
-function checkXSS({ body, schema = {} }) {
-  const data = typeof body === 'string' ? body : JSON.stringify(body);
-  const stopWords = xssInjection.filter((el) => data.toLowerCase().includes(el));
-
-  // check sql injection
-  const stopSpecialSymbols = data.match(/\p{S}OR\p{S}|\p{P}OR\p{P}| OR |\+OR\+/gi);
-  if (stopSpecialSymbols?.length) stopSpecialSymbols?.forEach((el) => stopWords.push(el));
-
-  // escape arrows on non-RTE
-  Object.keys(body)
-    .filter((key) => ['<', '>'].find((el) => body[key]?.includes?.(el))
-  && !['Summernote', 'Tiny', 'Ace'].includes(schema[key]?.type))
-    ?.forEach((key) => {
-      Object.assign(body, { [key]: body[key].replace(/</g, '&lt;').replace(/>/g, '&gt;') });
-    });
-  // try { } catch (err) { return { error: err.toString() }; }
-
-  if (!stopWords.length) return { body };
-
-  const disabledCheckFields = Object.keys(schema)?.filter((el) => schema[el]?.xssCheck === false); // exclude specific columns
-
-  // check RTE
-  /* const richTextFields = Object.keys(schema).filter((el) => ['Summernote', 'Tiny', 'Ace'].includes(schema[el]?.type));
-  richTextFields.filter((key) => !checkList.find((el) => body[key].includes(el)))?.forEach((key) => {
-    disabledCheckFields.push(key);
-  }); */
-
-  const field = Object.keys(body)
-    ?.find((key) => body[key]
-        && !disabledCheckFields.includes(key)
-        && body[key].toLowerCase().includes(stopWords[0]));
-  if (field) {
-    return { error: `rule: ${stopWords[0]} | attr: ${field} | val: ${body[field]}`, body };
-  }
-  return { body };
-}
-
-export default checkXSS;
+/* import sqlInjection from '../../../policy/funcs/sqlInjection.js'; */
+import xssInjection from './xssInjection.js';
+
+/* const checkList = xssInjection.concat(sqlInjection); */
+
+// RTE - rich text editor
+
+function checkXSS({ body, schema = {} }) {
+  const data = typeof body === 'string' ? body : JSON.stringify(body);
+  const stopWords = xssInjection.filter((el) => data.toLowerCase().includes(el));
+
+  // check sql injection
+  const stopSpecialSymbols = data.match(/\p{S}OR\p{S}|\p{P}OR\p{P}| OR |\+OR\+/gi);
+  if (stopSpecialSymbols?.length) stopSpecialSymbols?.forEach((el) => stopWords.push(el));
+
+  // escape arrows on non-RTE
+  Object.keys(body)
+    .filter((key) => ['<', '>'].find((el) => body[key]?.includes?.(el))
+  && !['Summernote', 'Tiny', 'Ace'].includes(schema[key]?.type))
+    ?.forEach((key) => {
+      Object.assign(body, { [key]: body[key].replace(/</g, '&lt;').replace(/>/g, '&gt;') });
+    });
+  // try { } catch (err) { return { error: err.toString() }; }
+
+  if (!stopWords.length) return { body };
+
+  const disabledCheckFields = Object.keys(schema)?.filter((el) => schema[el]?.xssCheck === false); // exclude specific columns
+
+  // check RTE
+  /* const richTextFields = Object.keys(schema).filter((el) => ['Summernote', 'Tiny', 'Ace'].includes(schema[el]?.type));
+  richTextFields.filter((key) => !checkList.find((el) => body[key].includes(el)))?.forEach((key) => {
+    disabledCheckFields.push(key);
+  }); */
+
+  const field = Object.keys(body)
+    ?.find((key) => body[key]
+        && !disabledCheckFields.includes(key)
+        && body[key].toLowerCase().includes(stopWords[0]));
+  if (field) {
+    return { error: `rule: ${stopWords[0]} | attr: ${field} | val: ${body[field]}`, body };
+  }
+  return { body };
+}
+
+export default checkXSS;