Add a custom sanitization function for the "Tag" property (#546)

* Add a custom sanitization function for the tag property in create call body * remove tag.* property from schema * do not escape URLs but validate them * apply suggestions from PR review --------- Co-authored-by: Markus Frindt <m.frindt@cognigy.com>
2025-12-20 16:50:39 +00:00 · 2023-11-27 19:03:47 +01:00
parent 9478f3a1b8
commit 7e349fe4e5
2 changed files with 38 additions and 9 deletions
--- a/lib/http-routes/schemas/create-call.js
+++ b/lib/http-routes/schemas/create-call.js
@@ -46,11 +46,6 @@ const createCallSchema = checkSchema({
    optional: true,
    errorMessage: 'Invalid tag',
  },
-  'tag.*': {
-    trim: true,
-    escape: true,
-    stripLow: true,
-  },
  app_json: {
    isString: true,
    optional: true,
@@ -109,6 +104,34 @@ const createCallSchema = checkSchema({
  }
 }, ['body']);

-module.exports = {
-  createCallSchema
+const customSanitizeFunction = (value) => {
+  try {
+    if (Array.isArray(value)) {
+      value = value.map((item) => customSanitizeFunction(item));
+    } else if (typeof value === 'object') {
+      Object.keys(value).forEach((key) => {
+        value[key] = customSanitizeFunction(value[key]);
+      });
+    } else if (typeof value === 'string') {
+      /* trims characters at the beginning and at the end of a string */
+      value = value.trim();
+
+      /* We don't escape URLs but verify them via new URL */
+      if (value.includes('http')) {
+        value = new URL(value).toString();
+      } else {
+        /* replaces <, >, &, ', " and / with their corresponding HTML entities */
+        value = escape(value);
+      }
+    }
+  } catch (error) {
+    value = `Error: ${error.message}`;
+  }
+
+  return value;
+};
+
+module.exports = {
+  createCallSchema,
+  customSanitizeFunction
 };