{"id":17613,"library":"express-html-sanitizer","title":"Express HTML Sanitizer Middleware","description":"express-html-sanitizer is an Express JS middleware designed to clean up and sanitize JSON request bodies by recursively removing unwanted HTML tags. It leverages the `sanitize-html` module for its core sanitization logic. The package is currently at version 1.0.1 and appears to be in an abandoned state, with no updates or commits in several years, meaning it lacks a defined release cadence and may not be actively maintained for security or feature updates. Its primary differentiator is its recursive application of HTML sanitization directly within the Express middleware chain, making it suitable for RESTful services that process JSON inputs potentially containing user-generated HTML.","status":"abandoned","version":"1.0.1","language":"javascript","source_language":"en","source_url":"https://github.com/shohidulbari/express-html-sanitizer","tags":["javascript","html","parser","sanitizer","express","middleware"],"install":[{"cmd":"npm install express-html-sanitizer","lang":"bash","label":"npm"},{"cmd":"yarn add express-html-sanitizer","lang":"bash","label":"yarn"},{"cmd":"pnpm add express-html-sanitizer","lang":"bash","label":"pnpm"}],"dependencies":[{"reason":"Required as a host framework for the middleware.","package":"express","optional":false},{"reason":"Core library used for performing the actual HTML sanitization.","package":"sanitize-html","optional":false},{"reason":"Required to parse JSON request bodies before this middleware can process them. Must be applied before express-html-sanitizer.","package":"body-parser","optional":true}],"imports":[{"note":"The package only supports CommonJS `require` syntax.","symbol":"sanitizer","correct":"const sanitizer = require('express-html-sanitizer');"},{"note":"The `require` call returns a factory function; you must call it to get the middleware. The `require().default` pattern is not applicable here as it's not an ES Module.","wrong":"const sanitizeReqBody = require('express-html-sanitizer')();","symbol":"sanitizeReqBody","correct":"const sanitizeReqBody = sanitizer();"},{"note":"This package is CommonJS-only and does not provide native ES Module exports. Attempting to use `import` will result in an error.","wrong":"import sanitizer from 'express-html-sanitizer';","symbol":"sanitizer","correct":"N/A"}],"quickstart":{"code":"const express = require('express');\nconst sanitizer = require('express-html-sanitizer');\nconst bodyParser = require('body-parser');\nconst app = express();\n\n// Make some custom configuration if you want (optional)\nconst config = {\n\tallowedTags: ['b', 'i', 'em', 'strong', 'a'],\n\tallowedAttributes: {'a': ['href']},\n\tallowedIframeHostnames: ['www.youtube.com']\n};\n\n// Get the middleware with custom configuration\nconst sanitizeReqBody = sanitizer(config);\n\n// Add body-parser middleware BEFORE the sanitizer\napp.use(bodyParser.json());\n\n// Add express-html-sanitizer middleware\napp.use(sanitizeReqBody);\n\napp.post('/post', (req, res) => {\n\t// req.body now contains sanitized JSON data\n\tconsole.log('Sanitized request body:', req.body);\n\tres.json({ message: 'Data received and sanitized', data: req.body });\n});\n\napp.listen(8080, () => {\n\tconsole.log('Express server started on port 8080');\n});","lang":"javascript","description":"Demonstrates setting up an Express application with `body-parser` and `express-html-sanitizer` middleware to sanitize POST request bodies using a custom configuration before handling the request."},"warnings":[{"fix":"Evaluate actively maintained HTML sanitization libraries for Express, or fork and maintain the package yourself.","message":"This package is abandoned and has not received updates in over four years. It may contain security vulnerabilities from outdated dependencies (especially `sanitize-html`) or lack crucial bug fixes. Use with caution or consider actively maintained alternatives.","severity":"breaking","affected_versions":">=1.0.0"},{"fix":"Ensure `app.use(bodyParser.json());` (or `express.json()`) is called before `app.use(sanitizeReqBody);`.","message":"The `body-parser` middleware (or equivalent for parsing JSON request bodies) must be used and placed *before* `express-html-sanitizer` in the middleware chain. If `req.body` is not populated, the sanitizer will not function.","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"Use `const sanitizer = require('express-html-sanitizer');` for all imports.","message":"The package only supports CommonJS `require()` syntax. Attempting to use ES Module `import` statements will result in runtime errors due to module resolution issues.","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"Always explicitly define a `config` object with `allowedTags`, `allowedAttributes`, and other options tailored to your security requirements when initializing the middleware (e.g., `sanitizer(customConfig)`).","message":"Default sanitization rules might be too permissive for critical security contexts. `express-html-sanitizer` directly passes configuration to `sanitize-html`, which has specific default `allowedTags` and `allowedAttributes`.","severity":"gotcha","affected_versions":">=1.0.0"}],"env_vars":null,"last_verified":"2026-04-23T00:00:00.000Z","next_check":"2026-07-22T00:00:00.000Z","problems":[{"fix":"Add `app.use(express.json());` or `app.use(require('body-parser').json());` before `app.use(sanitizeReqBody);` in your Express application setup.","cause":"The `req.body` object is undefined because a body parsing middleware (like `body-parser` or `express.json()`) has not been used or is placed after `express-html-sanitizer`.","error":"TypeError: Cannot read properties of undefined (reading 'body')"},{"fix":"Change your import statement to `const sanitizer = require('express-html-sanitizer');` or ensure your environment correctly handles CommonJS modules.","cause":"Attempting to use `import` syntax (`import sanitizer from 'express-html-sanitizer';`) for this CommonJS-only package in an ES Module context.","error":"ERR_REQUIRE_ESM: require() of ES Module ... not supported. Instead change the require of ... to a dynamic import() or remove the 'type': 'module' in your package.json."},{"fix":"Provide a strict `config` object to `sanitizer()` that explicitly defines only the `allowedTags` and `allowedAttributes` necessary for your application. For example: `sanitizer({ allowedTags: [], allowedAttributes: {} })` to strip all HTML.","cause":"The default `sanitize-html` configuration or your custom configuration for `express-html-sanitizer` is too permissive, allowing undesired tags or attributes.","error":"Unwanted HTML tags (e.g., <script>, <iframe>) are still present in `req.body` after sanitization."}],"ecosystem":"npm","meta_description":null,"install_score":null,"install_tag":null,"quickstart_score":null,"quickstart_tag":null}