CODEWITHSUNDEEP
javascriptnode.jsexpress
prototype
prototype

Reputation: 7970

Safely pass object to client in Node.js/express

A common question is how to pass an object from Node.js/Express.js to the browser. It's possible to do that using JSON stringify, but if the object contains user-provided data, that can open the door to script-injection and possibly other attacks.

Is there a downside to the approach mentioned in this link using Base64?

https://stackoverflow.com/a/37920555/645715

Related links:

Passing an object to client in node/express + ejs?

How to pass a javascript object that contains strings with quotes from node.js to the browser?

Pass a NodeJS express object to AngularJS 1.6

Passing an object to client in node/express + ejs?

Upvotes: 1

Views: 758

Answers (1)

Matti Price
Matti Price

Reputation: 3551

Using Base64 encoding does solve the immediate problem of passing back an injection attack, but it doesn't necessarily solve the issue of having a possible injection attack floating around out there. For example, this fiddle shows that it does prevent the immediate issue : https://jsfiddle.net/9prhkx74/

var test2 = JSON.parse(window.atob('PC9zY3JpcHQ+PHNjcmlwdD5hbGVydCgndGVzdDInKTwvc2NyaXB0PjxzY3JpcHQ+'));

This won't show an alert box, it'll just throw an error about invalid JSON. But if you change it to the literal string, it'll show the alert box (injection vulnerable)

var test2 = JSON.parse("</script><script>alert('test2')</script><script>")

Now if you are immediately parsing it to a JSON object, it'll blow up, and everything will be "safe". But if you assign it to a value because you are going to pass it around some more etc, you still have a potential issue out there.

Instead of putting a bandaid on the injection itself, I'd suggest fixing it in the first place and properly escaping data before passing it back to the client or processing it on the server side.

There are plenty of libraries that can help do this

https://www.npmjs.com/package/sanitize https://www.npmjs.com/package/express-sanitizer

Here's a pretty good article that kind of highlights why it is important to sanitize and not just just patch over potentially malicious data : https://lockmedown.com/5-steps-handling-untrusted-node-js-data/

Upvotes: 2

Related Questions