What is the difference between checking and clearing input data in an Express.JS application using the Hapi.JS Joi module?

Question

What is the difference between checking and clearing input data in an Express.JS application using the Hapi.JS Joi module?

Using Hapi.JS Joi to verify logins for an Express application. This is the template setting:

const Joi = require('joi');

const schema = Joi.object().keys({
   username: Joi.string().alphanum().min(3).max(30).required(),
   birthyear: Joi.number().integer().min(1900).max(2013),
}).with('username', 'birthyear');

app.use('/user/:id', function (req, res, next) {

      Joi.validate({ username: 'abc', birthyear: 1994 }, schema, function 
      (err, value) { 
        if (err){

        ...

        }

        ...
        next()
        }
      });
   })

QUESTION No. 1 : What is the difference between validation and sanitation? And should I sanitize the data for the Express API? This is for a mobile application, not a website, so I'm trying to figure out if I should check as well as sanitize.

QUESTION No. 2 How can I misinform the input using Joi or some other Express compatible library?

+6

security node.js express hapijs joi

craft Jan 26 '18 at 16:28

source share

3 answers

Shiva Kishore · Answer 1 · 2018-01-26T20:08:21+0000

Sanitizing

XSS <script>alert(1)</script>
<script>alert(1)</script>

, , , ..

,
a > 5, @ , . @ ..

2

.
.

Ridham Tarpara · Answer 2 · 2018-02-02T13:14:17+0000

?

Sanitizing Inputs , .

SQL Injection, , / . , , .

SELECT * FROM `users` WHERE `username`='$user' AND `pass`='$pass'

$user $pass - , .

, - :

username -> admin' AND 1=1 OR 1='1
password -> pass

:

SELECT * FROM `users` WHERE `username`='admin' AND 1=1 OR 1='1' AND `pass`='pass'

admin admin.

, :

SELECT * FROM `users` WHERE `username`='admin\' AND 1=1 OR 1=\'1' AND `pass`='pass'

, .

Validation

- , , .

, Android IOS , . , , , .

ANDROID & IOS n, ANDROID & IOS.

Express API?

, , API , . , - . (: wink:)

Joi - , Express?

Joi

validate(value, schema, {escapeHtml: true}, [callback])

Ujjwal · Answer 3 · 2018-01-29T19:12:06+0000

?

, , .

// checks that 22 is a number and must be >=99
Joi.validate(22, Joi.number().min(99));

.

, , , . < <

.

Express API?

, .

, , .

, , , . .

How can I sanitize logins using Joi or some other Express compatible library?

Joi is a validation library. It is ideal for checking data. But for sanitation, if you go with something like string.js for methods like escapeHTML () and module xss-filters for disinfecting xss.

What is the difference between checking and clearing input data in an Express.JS application using the Hapi.JS Joi module?

2

More articles: