XSS Validator
Enabled Validate input for malicious code.
This middleware works for both GET
, POST
methods and will throw an 400 Bad Request
error when the either body or query params will contain unsecure code. Based on https://github.com/leizongmin/js-xss
Usage
This middleware is enabled globally by default. You can customize it both globally and per route like following:
export default defineNuxtConfig({ // Global security: { xssValidator: { // options } } // Per Route routeRules: { '/my-secret-route': { security: { xssValidator: { // options } } } }})
You can also disable the middleware globally or per route by setting xssValidator: false
.
Options
XSS validator accepts following configuration options:
type XssValidator = { whiteList: Record<string, any>; stripIgnoreTag: boolean; stripIgnoreTagBody: boolean; css: Record<string, any> | boolean; throwError: boolean;} | {};
whiteList
- Default:
-
By specifying a whiteList, e.g. { 'tagName': 'attr-1', 'attr-2' }. Tags and attributes not in the whitelist would be filter out
stripIgnoreTag
- Default:
-
Filter out tags not in the whitelist
stripIgnoreTagBody
- Default:
-
Filter out tags and tag bodies not in the whitelist
css
- Default:
-
If you allow the attribute style, the value will be processed by cssfilter module.
throwError
- Default:
true
Whether to throw Nuxt Error with appriopriate error code and message. If set to false, it will just return the object with the error that you can handle.