Express HTML Sanitizer Middleware

1.0.1 verified Thu Apr 23 auth: no javascript abandoned

express-html-sanitizer is an Express JS middleware designed to clean up and sanitize JSON request bodies by recursively removing unwanted HTML tags. It leverages the `sanitize-html` module for its core sanitization logic. The package is currently at version 1.0.1 and appears to be in an abandoned state, with no updates or commits in several years, meaning it lacks a defined release cadence and may not be actively maintained for security or feature updates. Its primary differentiator is its recursive application of HTML sanitization directly within the Express middleware chain, making it suitable for RESTful services that process JSON inputs potentially containing user-generated HTML.

Common errors

error TypeError: Cannot read properties of undefined (reading 'body') ↓

cause The `req.body` object is undefined because a body parsing middleware (like `body-parser` or `express.json()`) has not been used or is placed after `express-html-sanitizer`.

fix

Add app.use(express.json()); or app.use(require('body-parser').json()); before app.use(sanitizeReqBody); in your Express application setup.

error ERR_REQUIRE_ESM: require() of ES Module ... not supported. Instead change the require of ... to a dynamic import() or remove the 'type': 'module' in your package.json. ↓

cause Attempting to use `import` syntax (`import sanitizer from 'express-html-sanitizer';`) for this CommonJS-only package in an ES Module context.

fix

Change your import statement to const sanitizer = require('express-html-sanitizer'); or ensure your environment correctly handles CommonJS modules.

error Unwanted HTML tags (e.g., <script>, <iframe>) are still present in `req.body` after sanitization. ↓

cause The default `sanitize-html` configuration or your custom configuration for `express-html-sanitizer` is too permissive, allowing undesired tags or attributes.

fix

Provide a strict config object to sanitizer() that explicitly defines only the allowedTags and allowedAttributes necessary for your application. For example: sanitizer({ allowedTags: [], allowedAttributes: {} }) to strip all HTML.

Warnings

breaking This package is abandoned and has not received updates in over four years. It may contain security vulnerabilities from outdated dependencies (especially `sanitize-html`) or lack crucial bug fixes. Use with caution or consider actively maintained alternatives. ↓

fix Evaluate actively maintained HTML sanitization libraries for Express, or fork and maintain the package yourself.

gotcha The `body-parser` middleware (or equivalent for parsing JSON request bodies) must be used and placed *before* `express-html-sanitizer` in the middleware chain. If `req.body` is not populated, the sanitizer will not function. ↓

fix Ensure `app.use(bodyParser.json());` (or `express.json()`) is called before `app.use(sanitizeReqBody);`.

gotcha The package only supports CommonJS `require()` syntax. Attempting to use ES Module `import` statements will result in runtime errors due to module resolution issues. ↓

fix Use `const sanitizer = require('express-html-sanitizer');` for all imports.

gotcha Default sanitization rules might be too permissive for critical security contexts. `express-html-sanitizer` directly passes configuration to `sanitize-html`, which has specific default `allowedTags` and `allowedAttributes`. ↓

fix Always explicitly define a `config` object with `allowedTags`, `allowedAttributes`, and other options tailored to your security requirements when initializing the middleware (e.g., `sanitizer(customConfig)`).

Install

npm install express-html-sanitizer

yarn add express-html-sanitizer

pnpm add express-html-sanitizer

Imports

sanitizer
```
const sanitizer = require('express-html-sanitizer');
```
The package only supports CommonJS `require` syntax.
sanitizeReqBody
wrong
```
const sanitizeReqBody = require('express-html-sanitizer')();
```
correct
```
const sanitizeReqBody = sanitizer();
```
The `require` call returns a factory function; you must call it to get the middleware. The `require().default` pattern is not applicable here as it's not an ES Module.
sanitizer
wrong
```
import sanitizer from 'express-html-sanitizer';
```
correct
```
N/A
```
This package is CommonJS-only and does not provide native ES Module exports. Attempting to use `import` will result in an error.

Quickstart

Demonstrates setting up an Express application with `body-parser` and `express-html-sanitizer` middleware to sanitize POST request bodies using a custom configuration before handling the request.

const express = require('express');
const sanitizer = require('express-html-sanitizer');
const bodyParser = require('body-parser');
const app = express();

// Make some custom configuration if you want (optional)
const config = {
	allowedTags: ['b', 'i', 'em', 'strong', 'a'],
	allowedAttributes: {'a': ['href']},
	allowedIframeHostnames: ['www.youtube.com']
};

// Get the middleware with custom configuration
const sanitizeReqBody = sanitizer(config);

// Add body-parser middleware BEFORE the sanitizer
app.use(bodyParser.json());

// Add express-html-sanitizer middleware
app.use(sanitizeReqBody);

app.post('/post', (req, res) => {
	// req.body now contains sanitized JSON data
	console.log('Sanitized request body:', req.body);
	res.json({ message: 'Data received and sanitized', data: req.body });
});

app.listen(8080, () => {
	console.log('Express server started on port 8080');
});