Socket.io sanitize incoming data (xss)

Question

im using socket.io in expressjs 3. And i want to sanitize incoming messages with express-validator. I have this code:

var expressValidator = require('express-validator')
, sanitize = require('express-validator').sanitize;

socket.on('chat', function (data) {
    io.sockets.in('test').emit('chat', {
            user: sh.session.user,
            message: data.message,
            time: new Date()
    });
});

how do i use sanitize(data.message).xss? Because this does not work.

Answer 1

In this case you want to use validator instead of express-validator. First install it thru npm:

npm install validator

Then use it pretty much the same way:

var sanitize = require('validator').sanitize;

// later on
message = sanitize(data.message).xss()

The reason for this is because express-validator is used for when you are dealing with an HTTP request that went thru expressjs. In the case of Websockets, you are not going thru expressjs, but rather just listening on the same port as it. So express-validator is not actually "present" in the context of your Websocket's data event.