This commit is contained in:
@@ -0,0 +1,48 @@
|
||||
import {
|
||||
Injectable,
|
||||
NestInterceptor,
|
||||
ExecutionContext,
|
||||
CallHandler,
|
||||
} from '@nestjs/common';
|
||||
import { Observable } from 'rxjs';
|
||||
|
||||
/**
|
||||
* Strips HTML/script tags from all string values in the request body.
|
||||
* Applied globally to prevent stored XSS via API inputs.
|
||||
*/
|
||||
@Injectable()
|
||||
export class SanitizeInterceptor implements NestInterceptor {
|
||||
intercept(context: ExecutionContext, next: CallHandler): Observable<unknown> {
|
||||
const request = context.switchToHttp().getRequest();
|
||||
|
||||
if (request.body && typeof request.body === 'object') {
|
||||
request.body = this.sanitize(request.body);
|
||||
}
|
||||
|
||||
return next.handle();
|
||||
}
|
||||
|
||||
private sanitize(value: unknown): unknown {
|
||||
if (typeof value === 'string') {
|
||||
return this.stripTags(value);
|
||||
}
|
||||
|
||||
if (Array.isArray(value)) {
|
||||
return value.map((item) => this.sanitize(item));
|
||||
}
|
||||
|
||||
if (value !== null && typeof value === 'object') {
|
||||
const sanitized: Record<string, unknown> = {};
|
||||
for (const [key, val] of Object.entries(value)) {
|
||||
sanitized[key] = this.sanitize(val);
|
||||
}
|
||||
return sanitized;
|
||||
}
|
||||
|
||||
return value;
|
||||
}
|
||||
|
||||
private stripTags(input: string): string {
|
||||
return input.replace(/<[^>]*>/g, '');
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user