Input Validation for Request Parameters about express HOT 4 CLOSED

Yes, there are many validator libraries you can use with express to suit your specific validation neeeds.

You may have opened this issue again the wrong repo as this is the express framework, and not an application that would be implementing some validation lib.

from express.

If you are looking for help on what lib you want to use in your app, feel free to post over in our discussion board https://github.com/expressjs/express/discussions

from express.

req.params should not be sanitized by Express. It should be just properly handled by the developer depending on the planned usage.

How do you know what the developer using Express wants to do with the received values? Different sanitization methods are required for different use cases (paths, data used in HTML, DB queries, etc.) and it would be easy to miss something. What if raw data is necessary (e.g. because it will be used in a safe way)?

from express.

Thank you for your valuable feedback. While I appreciate the concern, the proposed modifications to req.param aim to enhance security by incorporating validation for alphanumeric values. However, it's essential to note that Express deliberately avoids sanitizing req.params directly, as this allows developers to exercise greater control over the sanitization process based on their specific use cases. Different contexts may demand distinct sanitization methods (e.g., paths, HTML, or database queries), and enforcing a universal approach could inadvertently limit flexibility. By presenting raw data, Express empowers developers to make informed decisions about validation and modification tailored to their application's unique requirements. It's crucial to strike a balance between security measures and flexibility to accommodate diverse development scenarios effectively.

from express.