README.md
# disinfect
[![NodeCI](https://github.com/genediazjr/disinfect/actions/workflows/nodeci.yml/badge.svg)](https://github.com/genediazjr/disinfect/actions/workflows/nodeci.yml)
[![CodeQL](https://github.com/genediazjr/disinfect/actions/workflows/codeql.yml/badge.svg)](https://github.com/genediazjr/disinfect/actions/workflows/codeql.yml)
[![NPM Version](https://badge.fury.io/js/disinfect.svg)](https://www.npmjs.com/disinfect)
[![NPM Downloads](https://img.shields.io/npm/dt/disinfect.svg?maxAge=2592000)](https://www.npmjs.com/disinfect)
[![Code Climate](https://codeclimate.com/github/genediazjr/disinfect/badges/gpa.svg)](https://codeclimate.com/github/genediazjr/disinfect)
[![Known Vulnerabilities](https://snyk.io/test/github/genediazjr/disinfect/badge.svg)](https://snyk.io/test/github/genediazjr/disinfect)
Hapi plugin to apply Google's [Caja](https://github.com/google/caja) HTML Sanitizer on route query, payload, and params.
* Capable for custom sanitization and per-route configuration.
* Can also be used for input formatting using the custom sanitizer option.
* Can be disabled per route.
## Usage
```js
const registerPlugins = async (server) => Promise.all([
server.register({
plugin: require('disinfect'),
options: {
disinfectQuery: true,
disinfectParams: true,
disinfectPayload: true
}
})
]);
registerPlugins(server)
.then(() => {
// ...
})
.catch((err) => {
// ...
})
```
[Glue](https://github.com/hapijs/glue) manifest
```js
register: {
plugins: [
{
plugin: require('disinfect'),
options: {
disinfectQuery: true,
disinfectParams: true,
disinfectPayload: true
}
}
]
}
```
## Options
* **deleteEmpty** - remove empty query or payload keys.
* **deleteWhitespace** - remove whitespace query, payload, or params keys.
* **disinfectQuery** - sanitize query strings.
* **disinfectParams** - sanitize url params.
* **disinfectPayload** - sanitize payload.
* **genericSanitizer** - custom synchronous function to do the sanitization of query, payload, and params.
* **querySanitizer** - custom synchronous function to do the sanitization of query strings.
* **paramsSanitizer** - custom synchronous function to do the sanitization of url params.
* **payloadSanitizer** - custom synchronous function to do the sanitization of payload.
`deleteEmpty` and `deleteWhitespace` defaults to `false`.
`disinfectQuery`, `disinfectParams`, and `disinfectPayload` defaults to `false`. If set to true, object will be passed to `caja` first before custom sanitizers.
```
dirtyObject ->`Caja` sanitizer -> `genericSanitizer` -> `query-`, `params-`, or `payload-` sanitizer -> deleteWhitespace -> deleteEmpty -> cleanObject.
```
`genericSanitizer`, `querySanitizer`, `paramsSanitizer`, and `payloadSanitizer` should be in the following format:
```js
const customSanitizer = (dirtyObj) => {
// ...
return cleanObj;
}
```
All options can be passed on a per-[route](http://hapijs.com/api#route-options) basis. Route options overrides server options.
```js
// example
{
path: '/',
method: 'get',
handler: (request, reply) => {
...
},
options: {
plugins: {
disinfect: {
disinfectQuery: true,
disinfectParams: false,
disinfectPayload: true
}
}
}
}
```
Disable on a route.
```js
{
path: '/',
method: 'get',
handler: (request, reply) => {
...
},
options: {
plugins: {
disinfect: false
}
}
}
```
## Contributing
* Include 100% test coverage
* Follow the [Hapi coding conventions](http://hapijs.com/styleguide)
* Submit an issue first for significant changes.
## Credits
* [hapi-sanitize-payload](https://github.com/lob/hapi-sanitize-payload) - Hapi plugin to sanitize the request payload
* [Caja-HTML-Sanitizer](https://github.com/theSmaw/Caja-HTML-Sanitizer) - Bundles Google Caja's HTML Sanitizer within a npm installable node.js module