Comments (10)
I agree, if req.param()
provided a way to specify from which source to extract the parameters then req.assert()
should be able to handle that as well. However I can't really find the place where you got the syntax req.param('password', req.body)
from. To my knowledge in express.js url-parameters take precedence over get-parameters which take precedence over post-parameters if one uses req.param()
, see https://github.com/visionmedia/express/blob/master/lib/request.js#L244-258
If you do not expect any get-parameters you could use
req.query = null;
as a workaround to unset all query-parameters before doing the asserts.
So currently req.assert()
somehow just behaves like the express.js-provided req.param()
.
Any thoughts?
from express-validator.
Yeah sorry my bad, misunderstood what I was looking at. (I guess I was trying to be optimistic.)
I've been using something similar to req.query.email = req.params.email = req.body.email;
as a workaround, but it seems that req.assert()
could work in a way where you pass it req.body
, req.params
, req.query
or post, get, route and it uses that.
To me req.param() seems like a rather large security hole in it's current form for unsuspecting programmers. Ask for variables via post have them given to req.param via get. But that is just me.
from express-validator.
Yeah, I admit req.param()
may be a little confusing, but as express-validator is a middleware for express.js I want to stick with the way, express.js behaves.
You can still use plain node-validator to validate just the bits that you want so you don't get confused by strange express.js magic ;)
Maybe you might consider filing an issue for express.js that addresses your concerns?
from express-validator.
Another idea would be to add something like
req.query.assert('email')
req.body.assert('email')
etc.
But I'm not sure how useful that would be if the application later still can use req.param('email')
....
from express-validator.
Yeah I may go to just regular node-validator and sadly drop this, but I do understand sticking with the way expressjs handles things.
Posted here expressjs/express#622
from express-validator.
Cool, thanks for the upstream issue. Closing this one.
from express-validator.
Hmm, after I've read the issue I reopen the issue here. I'll think about some way to handle that stuff nicer in express-validator.
from express-validator.
The only thing I can think of is having it where you either pass the req.body
etc. or just saying post, route, or get as a second parameter. If that is the case I can just req.body.example
afterwards to get my sanitized or asserted variable. Personally my favorite thing is the easy error handling with assertions, because with my way I could basically just use node-validator I just don't get the nice assertions.
from express-validator.
#32 provides a special method checkBody
for checking the body only, similar methods could be added for checkQuery
and checkParams
. If anyone has the need for these feel free to open a pull request for it.
from express-validator.
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
from express-validator.
Related Issues (20)
- Validation on nested fields not working. HOT 1
- validationResult function don't give any Error HOT 3
- Empty array as default value not working. HOT 1
- isDate() returns false on "2021-02-12" for express-validator v7 HOT 5
- Re-use validators on the front end? HOT 3
- How to pass parameters to a custom validator using schemas HOT 2
- TS Error. Type 'IsURLOptions' does not include some properties
- const {query} = require("express-validator") not working but {check} is working HOT 1
- How to stop the validation flow to different checks HOT 1
- How can I prevent isStrongPassword() accepting whitespaces? HOT 1
- Validate json object HOT 6
- Able to use validation inside controller? HOT 5
- How to use if inside ParamSchema? HOT 1
- Check if a field is either a string or an Array of Strings HOT 1
- Using oneOf together with checkExact causes Unknown Field errors HOT 2
- How to keep keys for optional fields in matchedData?
- Build failed in master branch HOT 2
- Return ValidationChain inside a function. HOT 1
- notEmpty Validation Fails to Detect Empty String with Spaces, Allowing Insertion of Empty String into Database" HOT 1
- Syntax error in example of ValidationError type in express-validator/src/base.ts
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from express-validator.