Skip to main content
Version: 6.12.0

Sanitization

Sometimes, receiving input in a HTTP request isn't only about making sure that the data is in the right format, but also that it is free of noise.

validator.js provides a handful of sanitizers that can be used to take care of the data that comes in.

const express = require('express');
const { body } = require('express-validator');

const app = express();
app.use(express.json());

app.post(
  '/comment',
  body('email').isEmail().normalizeEmail(),
  body('text').not().isEmpty().trim().escape(),
  body('notifyOnReply').toBoolean(),
  (req, res) => {
    // Handle the request somehow
  },
);

In the example above, we are validating email and text fields, so we may take advantage of the same chain to apply some sanitization, like e-mail normalization (normalizeEmail) and trimming (trim)/HTML escaping (escape).
The notifyOnReply field isn't validated, but it can still make use of the same check function to convert it to a JavaScript boolean.

Important: please note that sanitization mutates the request. This means that if req.body.text was sent with the value Hello world :>), after the sanitization its value will be Hello world :>).