stash
commented
10 years ago Thanks for this; i'll update.
Closed calendee closed 10 years ago
stash
commented
10 years ago Thanks for this; i'll update.
stash
commented
10 years ago @calendee I'm revising the docs to clarify some confusion around what secure-filters does. I've opened a pull request: https://github.com/goinstant/secure-filters/pull/24
I decided to leave node-validator in there, but removed any links to the filtering functions it provides. I also mentioned Caja and linked to sanitizer. Is that OK with you?
calendee
commented
10 years ago First, thanks for the rapid response on this.
I think it would still suggest that node-validator helps solve the problem of XSS.
To effectively combat XSS, you must combine input validation with output sanitization. Using one or the other is not sufficient; you must apply both! This module aims to provide only output sanitization since there are plenty of JavaScript modules out there to do the validation part.
Now that node-validator simply does input validation ( is this field a string, is more than 6 but less than 10 characters long), it provides none of the XSS related input validation suggested in the quote.
node-validator no longer provides XSS filters. The secure-filters README needs to be updated to reflect this.
The maintainer suggests using Google's Caja.
There is an GitHub repo for Caja and Node : https://github.com/theSmaw/Caja-HTML-Sanitizer