Mongoose and Query Injection when using Javascript?

Question

How does MongoDB address SQL or Query injection? explains how to handle query injection with BSON when using javascript on the server. I haven't been able to track down how/whether Mongoose handles query injection though.

At this point I have two questions:

1. Does Mongoose protect against query injection (using BSON or some other method)
2. If it does, are there any quirks with it's implementation that a developer need to be aware of?

Answer 1

Mongoose does not protect against query injection so unfortunately you will need to perform your own injection detection following the guidelines from the link above.