XSS Validator

Enabled Validate input for malicious code.


This middleware works by default for both GET and POST methods, and will throw a 400 Bad Request error when either the body or the query params contain unsafe code. Based on https://github.com/leizongmin/js-xss

ℹ Read more about performing output escaping here.

Usage

This middleware is enabled globally by default. You can customize it both globally and per route like following:

nuxt.config.ts
export default defineNuxtConfig({  // Global  security: {    xssValidator: {      // options    }  }  // Per Route  routeRules: {    '/my-secret-route': {      security: {        xssValidator: {          // options        }      }    }  }})

You can also disable the middleware globally or per route by setting xssValidator: false.

Options

XSS validator accepts the following configuration options:

type XssValidator = {  methods: Array<Uppercase<string>>;  whiteList: Record<string, any>;  stripIgnoreTag: boolean;  stripIgnoreTagBody: boolean;  css: Record<string, any> | boolean;  throwError: boolean;} | {};

methods

  • Default: ['GET', 'POST']

List of methods for which the validator will be invoked.

whiteList

  • Default: -

By specifying a whiteList, e.g. { 'tagName': 'attr-1', 'attr-2' }. Tags and attributes not in the whitelist would be filter out

stripIgnoreTag

  • Default: -

Filter out tags not in the whitelist

stripIgnoreTagBody

  • Default: -

Filter out tags and tag bodies not in the whitelist

css

  • Default: -

If you allow the attribute style, the value will be processed by cssfilter module.

throwError

  • Default: true

Whether to throw Nuxt Error with appriopriate error code and message. If set to false, it will just return the object with the error that you can handle.