farcasclaudiu/Flowise
1
0
Fork 0
mirror of https://github.com/farcasclaudiu/Flowise.git synced 2026-06-28 15:00:57 +03:00
Code Issues Packages Projects Releases Wiki Activity

XSS: replacing deprecated sanitize-js with sanitize-html

Browse Source
This commit is contained in:
vinodkiran
2023-12-08 18:50:58 +05:30
parent 6e2d6cbac4
commit 99bc9d64fb
2 changed files with 6 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
packages/server/package.json
+1 -1
View File
@@ -61,9 +61,9 @@
"mysql": "^2.18.1", "mysql": "^2.18.1",
"pg": "^8.11.1", "pg": "^8.11.1",
"reflect-metadata": "^0.1.13", "reflect-metadata": "^0.1.13",
"sanitize-html": "^2.11.0",
"socket.io": "^4.6.1", "socket.io": "^4.6.1",
"sqlite3": "^5.1.6", "sqlite3": "^5.1.6",
"strip-js": "^1.2.0",
"typeorm": "^0.3.6", "typeorm": "^0.3.6",
"uuid": "^9.0.1", "uuid": "^9.0.1",
"winston": "^3.9.0" "winston": "^3.9.0"
packages/server/src/utils/XSS.ts
+5 -3
View File
@@ -1,10 +1,12 @@
import { Request, Response, NextFunction } from 'express' import { Request, Response, NextFunction } from 'express'
let stripJs = require('strip-js') const sanitizeHtml = require('sanitize-html')
export function sanitizeMiddleware(req: Request, res: Response, next: NextFunction): void { export function sanitizeMiddleware(req: Request, res: Response, next: NextFunction): void {
req.url = stripJs(req.url) // decoding is necessary as the url is encoded by the browser
const decodedURI = decodeURI(req.url)
req.url = sanitizeHtml(decodedURI)
for (let p in req.query) { for (let p in req.query) {
req.query[p] = stripJs(req.query[p]) req.query[p] = sanitizeHtml(req.query[p])
} }
next() next()