Express: Validating and sanitizing input

Validating input

Let’s see how to validate any data coming in as input in your Express endpoints.

Say you have a POST endpoint that accepts the name, email and age parameters:

const express = require('express')
const app = express()

app.use(express.json())

app.post('/form', (req, res) => {
  const name  = req.body.name
  const email = req.body.email
  const age   = req.body.age
})

How do you perform server-side validation on those results to make sure:

name is a string of at least 3 characters?
email is a real email?
age is a number, between 0 and 110?

The best way to handle validation on any kind of input coming from outside in Express is by using the express-validator package:

npm install express-validator

You require the check and validationResult objects from the package:

const { check, validationResult } = require('express-validator');

We pass an array of check() calls as the second argument of the post() call. Every check() call accepts the parameter name as argument. Then we call validationResult() to verify there were no validation errors. If there are any, we tell them to the client:

app.post('/form', [
  check('name').isLength({ min: 3 }),
  check('email').isEmail(),
  check('age').isNumeric()
], (req, res) => {
  const errors = validationResult(req)
  if (!errors.isEmpty()) {
    return res.status(422).json({ errors: errors.array() })
  }

  const name  = req.body.name
  const email = req.body.email
  const age   = req.body.age
})

Notice I used

isLength()
isEmail()
isNumeric()

There are many more of these methods, all coming from validator.js, including:

contains(), check if value contains the specified value
equals(), check if value equals the specified value
isAlpha()
isAlphanumeric()
isAscii()
isBase64()
isBoolean()
isCurrency()
isDecimal()
isEmpty()
isFQDN(), is a fully qualified domain name?
isFloat()
isHash()
isHexColor()
isIP()
isIn(), check if the value is in an array of allowed values
isInt()
isJSON()
isLatLong()
isLength()
isLowercase()
isMobilePhone()
isNumeric()
isPostalCode()
isURL()
isUppercase()
isWhitelisted(), checks the input against a whitelist of allowed characters

You can validate the input against a regular expression using matches().

Dates can be checked using

isAfter(), check if the entered date is after the one you pass
isBefore(), check if the entered date is before the one you pass
isISO8601()
isRFC3339()

For exact details on how to use those validators, refer to https://github.com/chriso/validator.js#validators.

All those checks can be combined by piping them:

check('name')
  .isAlpha()
  .isLength({ min: 10 })

If there is any error, the server automatically sends a response to communicate the error. For example if the email is not valid, this is what will be returned:

{
  "errors": [{
    "location": "body",
    "msg": "Invalid value",
    "param": "email"
  }]
}

This default error can be overridden for each check you perform, using withMessage():

check('name')
  .isAlpha()
  .withMessage('Must be only alphabetical chars')
  .isLength({ min: 10 })
  .withMessage('Must be at least 10 chars long')

What if you want to write your own special, custom validator? You can use the custom validator.

In the callback function you can reject the validation either by throwing an exception, or by returning a rejected promise:

app.post('/form', [
  check('name').isLength({ min: 3 }),
  check('email').custom(email => {
    if (alreadyHaveEmail(email)) {
      throw new Error('Email already registered')
    }
  }),
  check('age').isNumeric()
], (req, res) => {
  const name  = req.body.name
  const email = req.body.email
  const age   = req.body.age
})

The custom validator:

check('email').custom(email => {
  if (alreadyHaveEmail(email)) {
    throw new Error('Email already registered')
  }
})

can be rewritten as

check('email').custom(email => {
  if (alreadyHaveEmail(email)) {
    return Promise.reject('Email already registered')
  }
})

Sanitizing input

You’ve seen how to validate input that comes from the outside world to your Express app.

There’s one thing you quickly learn when you run a public-facing server: never trust the input.

Even if you sanitize and make sure that people can’t enter weird things using client-side code, you’ll still be subject to people using tools (even just the browser devtools) to POST directly to your endpoints.

Or bots trying every possible combination of exploit known to humans.

What you need to do is sanitizing your input.

The express-validator package you already use to validate input can also conveniently used to perform sanitization.

Say you have a POST endpoint that accepts the name, email and age parameters:

const express = require('express')
const app = express()

app.use(express.json())

app.post('/form', (req, res) => {
  const name  = req.body.name
  const email = req.body.email
  const age   = req.body.age
})

You might validate it using:

const express = require('express')
const app = express()

app.use(express.json())

app.post('/form', [
  check('name').isLength({ min: 3 }),
  check('email').isEmail(),
  check('age').isNumeric()
], (req, res) => {
  const name  = req.body.name
  const email = req.body.email
  const age   = req.body.age
})

You can add sanitization by piping the sanitization methods after the validation ones:

app.post('/form', [
  check('name').isLength({ min: 3 }).trim().escape(),
  check('email').isEmail().normalizeEmail(),
  check('age').isNumeric().trim().escape()
], (req, res) => {
  //...
})

Here I used the methods:

trim() trims characters (whitespace by default) at the beginning and at the end of a string
escape() replaces <, >, &, ', " and / with their corresponding HTML entities
normalizeEmail() canonicalizes an email address. Accepts several options to lowercase email addresses or subaddresses (e.g. [email protected])

Other sanitization methods:

blacklist() remove characters that appear in the blacklist
whitelist() remove characters that do not appear in the whitelist
unescape() replaces HTML encoded entities with <, >, &, ', " and /
ltrim() like trim(), but only trims characters at the start of the string
rtrim() like trim(), but only trims characters at the end of the string
stripLow() remove ASCII control characters, which are normally invisible

Force conversion to a format:

toBoolean() convert the input string to a boolean. Everything except for ‘0’, ‘false’ and ” returns true. In strict mode only ‘1’ and ‘true’ return true
toDate() convert the input string to a date, or null if the input is not a date
toFloat() convert the input string to a float, or NaN if the input is not a float
toInt() convert the input string to an integer, or NaN if the input is not an integer

Like with custom validators, you can create a custom sanitizer.

In the callback function you just return the sanitized value:

const sanitizeValue = value => {
  //sanitize...
}

app.post('/form', [
  check('value').customSanitizer(value => {
    return sanitizeValue(value)
  }),
], (req, res) => {
  const value  = req.body.value
})

Lessons in this unit:

0:	Introduction
1:	Introduction to Express
2:	Request parameters
3:	Send a response to the client
4:	Send a JSON response
5:	Manage cookies
6:	Work with HTTP headers
7:	Handling redirects
8:	Routing
9:	Template engines
10:	Middleware
11:	Serving Static Assets with Express
12:	Send files to the client
13:	Sessions
14:	▶︎ Validating and sanitizing input
15:	Handling form data

Are you intimidated by Git? Can’t figure out merge vs rebase? Are you afraid of screwing up something any time you have to do something in Git? Do you rely on ChatGPT or random people’s answer on StackOverflow to fix your problems? Your coworkers are tired of explaining Git to you all the time? Git is something we all need to use, but few of us really master it. I created this course to improve your Git (and GitHub) knowledge at a radical level. Launching May 21, 2024. Join the waiting list!