Sanitization

Overview

In Nodeblocks system, all the data received from client side will be sanitized before handled by the system.

The Sanitization includes two parts:

escape HTML format
escape SQL

There are two main purpose:

Prevent XSS Attacks
Prevent SQL injection

Details

For escaping HTML, Nodeblocks uses the sanitize-html library to process all the string fields in request parameters (param, query, body). It not only escapes the HTML tags, symbols, but also removes some dangerous HTML tags.

For escaping SQL, Nodeblocks uses the following internal string escaping function:

const escapeSql = (str: string): string => {
  str = str.replace(/\0/g, '\\0');
  str = str.replace(/\n/g, '\\n');
  str = str.replace(/\r/g, '\\r');
  str = str.replace(/\032/g, '\\Z');
  str = str.replace(/(['"]+)/g, '\\$1');
  return str;
}

For the whole sanitize process

const sanitizeString = (rawString: string): string =>
  escapeSql(sanitizeHtml(rawString));

Unescaping Text

It is sometimes necessary to use an inversion process when using sanitized strings.

Where

Since frontend is responsible for presentation, the unescape usually happens in frontend.

How

For unescape HTML, he is an option:

import he from 'he';

const unescapeHtml = he.unescape(escapedHtml);

function unescapeSql(escapedString: string): string {
  return escapedString
    .replace(/\\0/g, '\0')
    .replace(/\\n/g, '\n')
    .replace(/\\r/g, '\r')
    .replace(/\\Z/g, '\x1a')
    .replace(/\\'/g, "'")
    .replace(/\\"/g, '"')
    .replace(/\\\\/g, '\\');
}

For the whole process:

import he from 'he';
const reversedString = he.unescape(unescapeSql(sanitizedString))

Overview​

Details​

Unescaping Text​

Where​

How​

Overview

Details

Unescaping Text

Where

How