TypeError: validator.escape is not a function - ACME BANK

Title: TypeError: validator.escape is not a function

Tags: #XSS #CommonAttacksOnWeb #express-validator #validator.escape #SecuringAcmeBank #DefendingNodeApplications

Codecademy video: link

Explanation:

As part of my Codecademy Back-End Engineer training, I have to do a project outside of their platform. The goal of this project is to make sure a node application is protected from common web attacks.

One challenge I faced was securing the code from Cross-Site Scripting (XSS) attacks. To do this, I used a package called [email protected]. The code uses a function called validator.escape which is supposed to protect against any malicious code being inserted into an input form. However, I am getting an error in the console when I try to use it.

Terminal output :

TypeError: validator.escape is not a function
    at /workspace/Codecademy-Acme_Bank_Codecademy-Project/app.js:172:29
    at Layer.handle [as handle_request] (/workspace/Codecademy-Acme_Bank_Codecademy-Project/node_modules/express/lib/router/layer.js:95:5)
    at next (/workspace/Codecademy-Acme_Bank_Codecademy-Project/node_modules/express/lib/router/route.js:144:13)
    at Route.dispatch (/workspace/Codecademy-Acme_Bank_Codecademy-Project/node_modules/express/lib/router/route.js:114:3)
    at Layer.handle [as handle_request] (/workspace/Codecademy-Acme_Bank_Codecademy-Project/node_modules/express/lib/router/layer.js:95:5)
    at /workspace/Codecademy-Acme_Bank_Codecademy-Project/node_modules/express/lib/router/index.js:284:15
    at Function.process_params (/workspace/Codecademy-Acme_Bank_Codecademy-Project/node_modules/express/lib/router/index.js:346:12)
    at next (/workspace/Codecademy-Acme_Bank_Codecademy-Project/node_modules/express/lib/router/index.js:280:10)
    at jsonParser (/workspace/Codecademy-Acme_Bank_Codecademy-Project/node_modules/body-parser/lib/types/json.js:101:7)
    at Layer.handle [as handle_request] (/workspace/Codecademy-Acme_Bank_Codecademy-Project/node_modules/express/lib/router/layer.js:95:5)

Here is the code :

const validator = require("express-validator");

app.post("/public_forum", function (request, response) {
  if (request.session.loggedin) {
    var comment = validator.escape(request.body.comment);
    var username = request.session.username;
    if (comment) {
      db.all(
        `INSERT INTO public_forum (username,message) VALUES ('${username}','${comment}')`,
        (err, rows) => {
          console.log(err);
        }
      );
      db.all(`SELECT username,message FROM public_forum`, (err, rows) => {
        console.log(rows);
        console.log(err);
        response.render("forum", { rows });
      });
    } else {
      db.all(`SELECT username,message FROM public_forum`, (err, rows) => {
        console.log(rows);
        console.log(err);
        response.render("forum", { rows });
      });
    }
    comment = "";
  } else {
    response.redirect("/");
  }
  comment = "";
  //response.end();
});

In the video of Codecademy the guy uses this function.

The project itself uses express-validator 5.x. and you’re using 6.x which introduced some changes.

Replace:

const validator = require("express-validator");`

With:

const { check, body } = require("express-validator");`
and then instead of `app.post("/public_forum", function (request, response) {
  if (request.session.loggedin) {
    var comment = validator.escape(request.body.comment);
    var username = request.session.username;
    if (comment) {
      ...        
      }
      );

You want to sanitize as a middleware like so:

app.post("/public_forum", body('comment').escape(), function (request, response) {
  if (request.session.loggedin) {
    var comment = request.body.comment;
    var username = request.session.username;
    if (comment) {
      ...
    }
1 Like