Building Your Learning Module...
Getting things ready for you!
Find videos you like?
Save to resource drawer for future reference!
Input sanitization is the process of cleaning and validating user input before using it in your application. It removes or escapes potentially dangerous characters and ensures data matches expected formats.
Check if input meets requirements
Clean input to make it safe
Convert special characters to HTML entities
< becomes <Remove leading/trailing spaces
str.trim()Convert to expected type
parseInt(), Number()Strip HTML/script tags
str.replace(/<[^>]*>/g, '')Escape quotes for database queries
Use parameterized queriesEncode special characters in URLs
encodeURIComponent()// HTML encoding - prevent XSS
function sanitizeHTML(str) {
const map = {
'&': '&',
'<': '<',
'>': '>',
'"': '"',
"'": ''',
'/': '/',
};
return String(str).replace(/[&<>"'/]/g, (char) => map[char]);
}
// Remove HTML tags
function stripHTML(str) {
return str.replace(/<[^>]*>/g, '');
}
// Sanitize email
function sanitizeEmail(email) {
return email.toLowerCase().trim();
}
// Sanitize string (alphanumeric + spaces)
function sanitizeString(str) {
return str.replace(/[^a-zA-Z0-9 ]/g, '');
}
// Sanitize number
function sanitizeNumber(value) {
const num = Number(value);
return isNaN(num) ? 0 : num;
}
// Sanitize URL
function sanitizeURL(url) {
try {
const parsed = new URL(url);
// Only allow http/https
if (!['http:', 'https:'].includes(parsed.protocol)) {
return '';
}
return parsed.href;
} catch {
return '';
}
}
// Usage
const userInput = '<script>alert("XSS")</script>';
console.log(sanitizeHTML(userInput));
// Output: <script>alert("XSS")</script>// Complete input processing class
class InputProcessor {
// Validate and sanitize username
static processUsername(input) {
// Sanitize: trim and lowercase
let username = input.trim().toLowerCase();
// Validate: length check
if (username.length < 3 || username.length > 20) {
throw new Error('Username must be 3-20 characters');
}
// Sanitize: allow only alphanumeric and underscore
username = username.replace(/[^a-z0-9_]/g, '');
// Validate: check format
if (!/^[a-z][a-z0-9_]*$/.test(username)) {
throw new Error('Username must start with letter');
}
return username;
}
// Validate and sanitize email
static processEmail(input) {
// Sanitize: trim and lowercase
let email = input.trim().toLowerCase();
// Validate: basic format check
const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
if (!emailRegex.test(email)) {
throw new Error('Invalid email format');
}
// Additional validation: length check
if (email.length > 254) {
throw new Error('Email too long');
}
return email;
}
// Validate and sanitize password
static processPassword(input) {
// No sanitization for passwords!
// Only validate
if (input.length < 8) {
throw new Error('Password must be at least 8 characters');
}
if (!/[A-Z]/.test(input)) {
throw new Error('Password must contain uppercase letter');
}
if (!/[a-z]/.test(input)) {
throw new Error('Password must contain lowercase letter');
}
if (!/[0-9]/.test(input)) {
throw new Error('Password must contain number');
}
return input; // Return as-is
}
// Process comment with sanitization
static processComment(input) {
// Sanitize: trim
let comment = input.trim();
// Validate: length
if (comment.length === 0) {
throw new Error('Comment cannot be empty');
}
if (comment.length > 500) {
throw new Error('Comment too long (max 500 characters)');
}
// Sanitize: HTML encode for safety
comment = this.sanitizeHTML(comment);
return comment;
}
static sanitizeHTML(str) {
const map = {
'&': '&',
'<': '<',
'>': '>',
'"': '"',
"'": '''
};
return String(str).replace(/[&<>"']/g, (c) => map[c]);
}
}
// Usage example
try {
const username = InputProcessor.processUsername(' Alice_123 ');
console.log('Username:', username); // 'alice_123'
const email = InputProcessor.processEmail(' Alice@Example.COM ');
console.log('Email:', email); // 'alice@example.com'
const comment = InputProcessor.processComment('<b>Great article!</b>');
console.log('Comment:', comment); // '<b>Great article!</b>'
} catch (error) {
console.error('Validation error:', error.message);
}// 1. DOMPurify - HTML sanitization
import DOMPurify from 'dompurify';
const dirty = '<img src=x onerror=alert(1)>';
const clean = DOMPurify.sanitize(dirty);
console.log(clean); // '<img src="x">' - removes onerror
// Rich text with safe HTML
const richText = '<p>Hello <b>World</b></p><script>alert("XSS")</script>';
const sanitized = DOMPurify.sanitize(richText);
console.log(sanitized); // '<p>Hello <b>World</b></p>' - removes script
// 2. validator.js - String validation/sanitization
import validator from 'validator';
// Email validation
const email = ' TEST@EXAMPLE.COM ';
const isValid = validator.isEmail(email);
const normalized = validator.normalizeEmail(email);
console.log(normalized); // 'test@example.com'
// URL sanitization
const url = 'javascript:alert(1)';
const isSafe = validator.isURL(url, {
protocols: ['http', 'https'],
require_protocol: true
});
console.log(isSafe); // false - blocks javascript: protocol
// Escape HTML
const userInput = '<script>alert("XSS")</script>';
const escaped = validator.escape(userInput);
console.log(escaped); // HTML entities
// 3. express-validator - Server-side validation
import { body, validationResult } from 'express-validator';
app.post('/register',
// Validation and sanitization middleware
body('username')
.trim()
.isLength({ min: 3, max: 20 })
.isAlphanumeric()
.escape(),
body('email')
.trim()
.isEmail()
.normalizeEmail()
.escape(),
body('age')
.optional()
.isInt({ min: 0, max: 120 })
.toInt(),
(req, res) => {
const errors = validationResult(req);
if (!errors.isEmpty()) {
return res.status(400).json({ errors: errors.array() });
}
// req.body now contains sanitized data
const { username, email, age } = req.body;
// Safe to use...
}
);Clean all user input
Never trust client-side data
Check format, then clean
Both are essential
DOMPurify, validator.js
Battle-tested solutions
HTML vs URL vs SQL
Different contexts need different sanitization