XSS Validator

Enabled Validate input for malicious code.


This middleware works by default for both GET, POST methods and will throw an 400 Bad Request error when the either body or query params contain unsecure code. Based on https://github.com/leizongmin/js-xss

ℹ Read more about performing output escaping here.

Usage

This middleware is enabled globally by default. You can customize it both globally and per route like following:

nuxt.config.ts
export default defineNuxtConfig({  // Global  security: {    xssValidator: {      // options    }  }  // Per Route  routeRules: {    '/my-secret-route': {      security: {        xssValidator: {          // options        }      }    }  }})

You can also disable the middleware globally or per route by setting xssValidator: false.

Options

XSS validator accepts following configuration options:

type XssValidator = {  methods: Array<Uppercase<string>>;  whiteList: Record<string, any>;  stripIgnoreTag: boolean;  stripIgnoreTagBody: boolean;  css: Record<string, any> | boolean;  throwError: boolean;} | {};

methods

  • Default: ['GET', 'POST']

List of methods for which the validator will be invoked. You can extend it by adding additional methods (must be uppercase).

whiteList

  • Default: -

By specifying a whiteList, e.g. { 'tagName': 'attr-1', 'attr-2' }. Tags and attributes not in the whitelist would be filter out

stripIgnoreTag

  • Default: -

Filter out tags not in the whitelist

stripIgnoreTagBody

  • Default: -

Filter out tags and tag bodies not in the whitelist

css

  • Default: -

If you allow the attribute style, the value will be processed by cssfilter module.

throwError

  • Default: true

Whether to throw Nuxt Error with appriopriate error code and message. If set to false, it will just return the object with the error that you can handle.