XSS Validator

Enabled Validate input for malicious code.

This middleware works by default for both GET and POST methods, and will throw a 400 Bad Request error when either the body or the query params contain unsafe code. Based on https://github.com/leizongmin/js-xss

ℹ Read more about performing output escaping here.

Usage

This middleware is enabled globally by default. You can customize it both globally and per route like following:

nuxt.config.ts
export default defineNuxtConfig({  // Global  security: {    xssValidator: {      // options    }  }  // Per Route  routeRules: {    '/my-secret-route': {      security: {        xssValidator: {          // options        }      }    }  }})

You can also disable the middleware globally or per route by setting xssValidator: false.

Options

XSS validator accepts the following configuration options:

type XssValidator = {  methods: Array<Uppercase<string>>;  whiteList: Record<string, any>;  escapeHtml: boolean;  stripIgnoreTag: boolean;  stripIgnoreTagBody: boolean;  css: Record<string, any> | boolean;  throwError: boolean;} | {};

methods

  • Default: ['GET', 'POST']

List of methods for which the validator will be invoked.

whiteList

  • Default: -

By specifying a whiteList, e.g. { 'tagName': 'attr-1', 'attr-2' }. Tags and attributes not in the whitelist would be filter out

stripIgnoreTag

  • Default: -

Filter out tags not in the whitelist

stripIgnoreTagBody

  • Default: -

Filter out tags and tag bodies not in the whitelist

escapeHtml

  • Default: -

Disable html escaping (by default < is replaced by &lt; and > by &gt;)

css

  • Default: -

If you allow the attribute style, the value will be processed by cssfilter module.

throwError

  • Default: true

Whether to throw Nuxt Error with appriopriate error code and message. If set to false, it will just return the object with the error that you can handle.

Edit this page on GitHub
Table of Contents