Socket.io清理传入数据(xss) [英] Socket.io sanitize incoming data (xss)

问题描述

im在expressjs 3中使用socket.io.我想用express-validator清理传入的消息.我有以下代码:

im using socket.io in expressjs 3. And i want to sanitize incoming messages with express-validator. I have this code:

var expressValidator = require('express-validator')
, sanitize = require('express-validator').sanitize;

socket.on('chat', function (data) {
    io.sockets.in('test').emit('chat', {
            user: sh.session.user,
            message: data.message,
            time: new Date()
    });
});

我如何使用sanitize(data.message).xss?因为这不起作用.

how do i use sanitize(data.message).xss? Because this does not work.

推荐答案

在这种情况下，您想使用validator而不是express-validator.首先通过npm安装它:

In this case you want to use validator instead of express-validator. First install it thru npm:

npm install validator

然后以几乎相同的方式使用它:

Then use it pretty much the same way:

var sanitize = require('validator').sanitize;

// later on
message = sanitize(data.message).xss()

这样做的原因是因为express-validator用于处理通过expressjs传递的HTTP请求.对于Websockets，您不会使用expressjs，而只是在与它相同的端口上进行侦听.因此，在Websocket的数据事件上下文中，express-validator实际上并不存在".

The reason for this is because express-validator is used for when you are dealing with an HTTP request that went thru expressjs. In the case of Websockets, you are not going thru expressjs, but rather just listening on the same port as it. So express-validator is not actually "present" in the context of your Websocket's data event.

这篇关于Socket.io清理传入数据(xss)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！