A plugin for Elysia.js that provides XSS (Cross-Site Scripting) protection by sanitizing request body data.
npm install elysia-xssA plugin for Elysia.js that provides XSS (Cross-Site Scripting) protection by sanitizing request body data.
- đĄī¸ Automatic XSS protection for request body data
- đ Recursive sanitization of nested objects and arrays
- đ¯ Configurable scope options
- ⥠Zero Runtime Overhead (Instantiated once)
- đĒļ Lightweight with minimal dependencies
- đ Built for Elysia.js and Bun
``bash`
bun add elysia-xss
`typescript
import { Elysia } from 'elysia'
import { elysiaXSS } from 'elysia-xss'
const app = new Elysia()
.use(elysiaXSS()) // Use default XSS options
.post("/comment", ({ body }) => body)
.listen(3000)
`
The plugin accepts standard xss configuration options. By default, it uses the standard whitelist provided by the xss library.
`typescript``
const app = new Elysia()
.use(elysiaXSS({
whiteList: { a: ['href', 'title', 'target'] }, // Custom whitelist
stripIgnoreTag: true // Filter out all HTML not in the whitelist
}))
1. Auto-Sanitization: Automatically sanitizes all string values in the request body (including nested objects and arrays).
2. Secure by Design: Sanitization happens before validation. This prevents malicious payloads from bypassing validation rules (e.g., a huge payload that becomes small after stripping tags will still fail validation if checked against the original raw length, or vice versa).
- Note: Validation logic will see the sanitized content.
3. Type Safety: Preserves input types and schema inference.
- Elysia - The web framework
- xss - XSS sanitizer
MIT
Contributions are welcome! Please feel free to submit a Pull Request.