Codecademy 视频: 链接
解释:
作为我
的一部分,我必须在他们的平台之外做一个项目。该项目的目标是确保节点应用程序免受常见的 Web 攻击。Codecademy Back-End Engineer training
我面临的一个挑战是保护来自
的代码。为此,我使用了一个名为Cross-Site Scripting (XSS) attacks的包。该代码使用了一个名为[email protected]的函数,该函数可以防止任何恶意代码被插入到输入表单中。但是,当我尝试使用它时,控制台出现错误。validator.escape
终端输出:
TypeError: validator.escape is not a function
这是代码:
const validator = require("express-validator");
app.post("/public_forum", function (request, response) {
if (request.session.loggedin) {
var comment = validator.escape(request.body.comment);
var username = request.session.username;
if (comment) {
db.all(
`INSERT INTO public_forum (username,message) VALUES ('${username}','${comment}')`,
(err, rows) => {
console.log(err);
}
);
db.all(`SELECT username,message FROM public_forum`, (err, rows) => {
console.log(rows);
console.log(err);
response.render("forum", { rows });
});
} else {
db.all(`SELECT username,message FROM public_forum`, (err, rows) => {
console.log(rows);
console.log(err);
response.render("forum", { rows });
});
}
comment = "";
} else {
response.redirect("/");
}
comment = "";
//response.end();
});
在
Codecademy尝试:
const {check, validationResult} = require('express-validator');
app.post('/public_forum', async function (request, response) {
if (request.session.loggedin) {
await check('comment').trim().escape().run(req);
const validationResult = await validationResult(req);
if (validationResult.isEmpty()) {
// Good to go...
const { comment } = req.body;
}
...
链接到官方文档
我已经实现了你的代码。我试图同时添加恶意评论和安全评论,但我在浏览器中收到一条错误消息,显示“未找到端口 4000”。每次我运行代码时,它都会终止端口。所以我已经根据你发给我的内容实现了另一个运行良好的代码。
// This code defines a post request handler for the "/public_forum" endpoint.
app.post('/public_forum', async function (request, response) {
// Check if the user is logged in by checking the session data.
if (request.session.loggedin) {
// Trim and escape the incoming comment.
await check('comment').trim().escape().run(request);
// Get the validation result of the incoming comment.
const errors = validationResult(request);
// If the validation result contains errors, return a 400 status with the errors in a JSON format.
if (!errors.isEmpty()) {
return response.status(400).json({ errors: errors.array() });
}
// Get the comment from the request body.
const { comment } = request.body;
// If a valid comment exists, insert it into the "public_forum" database table.
if (comment) {
db.run(
`INSERT INTO public_forum (username,message) VALUES (?,?)`, [request.session.username, comment],
(err) => {
// If an error occurs while inserting the comment, log the error.
if (err) {
console.error(err);
}
}
);
}
// Select all the rows from the "public_forum" table.
db.all(`SELECT username,message FROM public_forum`, (err, rows) => {
// If an error occurs while selecting the rows, log the error.
if (err) {
console.error(err);
}
// Log the selected rows.
console.log(rows);
// Render the "forum" template, passing in the selected rows as a parameter.
response.render("forum", { rows });
});
} else {
// If the user is not logged in, redirect them to the homepage.
response.redirect("/");
}
});
尝试导入“validator”而不是“express-validator”。有同样的问题,这对我有用。仍然不完全理解两者之间的区别,因为 codecademy 解释得不好,甚至在他们自己的项目中混淆了他们。
编辑:哦,你必须先安装验证器!