Sanitizing the post route [nodeJS]

Casper

Joined
Dec 31, 2016
Messages
23
Likes
13
Degree
0
Right I know this is simple but its driving me potty and Im clearly missing something object related.

Im trying to sanitize the user input as it comes in from a post request the sanitization functions I'm using are;

Code: 
function sanitizeUsername(userS) {
    return userS = userS.replace(/[^a-zA-Z0-9 .@-]/gim, "");
};
function sanitizePassword(passS) {
   return passS = passS.replace(/[^a-zA-Z0-9 ]/gim, " ");
};

the route file looks like

Code: 
var express = require('express');
var router = express.Router();
var user = require("../models/users");

// sanitize functions

function sanitizeUsername(userS) {
   return userS = userS.replace(/[^a-zA-Z0-9 .@-]/gim, "");
};
function sanitizePassword(passS) {
   return passS = passS.replace(/[^a-zA-Z0-9 ]/gim, " ");
};

/* GET home page. */
router.get('/', function (req, res) {
    res.render('index', { title: 'Express' });
});

/* GET login page. */
router.get('/login', function (req, res, next) {
    res.render('login', { title: 'Express' });
});

/* POST login page. */
router.post('/login', function (req, res, next) {
        
   sanitizeUsername =  sanitizeUsername(req.body.username);
    sanitizePassword = sanitizePassword(req.body.password);

console.log(sanitizeUsername);
console.log(sanitizePassword);


module.exports = router;

This is basic i get that but what am i doing wrong!
 
Firstly I would advise against doing any sanitation on a password. If you're storing a password in a hashed form (which you should be) it will not require any sanitation.

So lets talk about your sanitize username function:

Code: 
function sanitizeUsername(userS) {
  return userS = userS.replace(/[^a-zA-Z0-9 .@-]/gim, "");
};

Your regex will remove any character that is not a-z, A-Z, 0-9, space, period, ampersand, or a dash. Now your options are weird, g seems appropriate because you want it globally. However i means case insensitive, which you already specified with the A-Z so you can remove the i. Lastly m means multi-line, and a username is not a multi-line piece of information so you could remove that as well.

Furthermore you don't need to assign the output value to anything of .replace to anything you can simply return the value.

What it should look like:
Code: 
function sanitizeUsername(userS) {
  return userS.replace(/[^a-zA-Z0-9 .@-]/g, "");
};

Also is that your entire file you posted because you are for sure missing at least a }) on your /login router.

Just for the sake of it I did a quick look at express and rewrote your example because there was a lot wrong with it. One thing that would have caused big issue is this:
Code: 
 sanitizeUsername =  sanitizeUsername(req.body.username);
 sanitizePassword = sanitizePassword(req.body.password);

The problem with the above is you are assigning the response of a function to the actual function in scope. It's going to break your program.

I tested this out, should work.

Code: 
var express = require('express');
// var user = require("../models/users"); // warning you are importing but not using this

var app = express();

// sanitize functions

function sanitizeUsername(username) {
    return username.replace(/[^a-zA-Z0-9 .@-]/g, "");
};

function sanitizePassword(password) {
    return password.replace(/[^a-zA-Z0-9 ]/g, "");
};

// routes

/* GET home page. */
app.get('/', function (req, res) {
    res.render('index', {title: 'Express'});
});

/* GET login page. */
app.get('/login', function (req, res, next) {
    res.render('login', {title: 'Express'});
});

/* POST login page. */
app.post('/login', function (req, res, next) {

    username = sanitizeUsername(req.body.username);
    password = sanitizePassword(req.body.password);

    console.log(username);
    console.log(password);

});

app.listen(3000, function () {
    console.log('Example app listening on port 3000!')
});
 
Wow! I dont know where to start but I will start with thankyou!!

I would have never asked for someone to write it for me but your explanations are fantastic!!

I was sent on a bit of a random tangent the first place I asked on another forum and they said I needed to read up on Object Orientated javascript.

the reason I have sanitized the user and pass is the data is to be put into horsman.js (a node wrapper for phantom). Its only to test the capabilities of horseman rather than as a SAAS but as its user input into the CLI I thought I ought to sanitize it!

I've only been playing around with node for 2 weeks so your advice has been invaluable, though most of my mistakes were in language syntax.

if you are ever in the southeast of England I owe you a beer!!
 
You must log in or register to reply here.
Back