XSS Validator
Enabled Validate input for malicious code.
This middleware works by default for both GET and POST methods, and will throw a 400 Bad Request error when either the body or the query params contain unsafe code. Based on https://github.com/leizongmin/js-xss
Usage
This middleware is enabled globally by default. You can customize it both globally and per route like following:
export default defineNuxtConfig({
  // Global
  security: {
    xssValidator: {
      // options
    }
  }
  // Per Route
  routeRules: {
    '/my-secret-route': {
      security: {
        xssValidator: {
          // options
        }
      }
    }
  }
})
You can also disable the middleware globally or per route by setting xssValidator: false.
Options
XSS validator accepts the following configuration options:
type XssValidator = {
  methods: Array<Uppercase<string>>;
  whiteList: Record<string, any>;
  escapeHtml: boolean;
  stripIgnoreTag: boolean;
  stripIgnoreTagBody: boolean;
  css: Record<string, any> | boolean;
  throwError: boolean;
} | {};
methods
- Default: ['GET', 'POST']
List of methods for which the validator will be invoked.
whiteList
- Default: -
By specifying a whiteList, e.g. { 'tagName': 'attr-1', 'attr-2' }. Tags and attributes not in the whitelist would be filter out
stripIgnoreTag
- Default: -
Filter out tags not in the whitelist
stripIgnoreTagBody
- Default: -
Filter out tags and tag bodies not in the whitelist
escapeHtml
- Default: -
Disable html escaping (by default < is replaced by < and > by >)
css
- Default: -
If you allow the attribute style, the value will be processed by cssfilter module.
throwError
- Default: true
Whether to throw Nuxt Error with appriopriate error code and message. If set to false, it will just return the object with the error that you can handle.