Should I sanitize response data before sending it to the client?

Question

I'm using the express-xss-sanitizer package to sanitize incoming requests in my Node.js Express application. However, I'm still seeing issues reported by Checkmarx regarding potential XSS attacks. I'm wondering if I need to sanitize response data before sending it to the client as well.

I've been under the impression that sanitizing input data is sufficient to prevent XSS attacks. However, the repeated Checkmarx warnings are making me doubt my understanding. Can someone clarify whether I need to sanitize response data as well?

[![charityApiRouter.get('/charity/getCampaigns', async (req, res) => {
  const \[err, responseBody\] = await getCampaignData(req);
  if (err) {
    res.status(400).send({ success: false, err });
    return;
  }
  res._end = true;
  res.jsonp({
    success: true,
    data: responseBody.data,
  });
});][1]][1]

Answer 1

You do not sanitize response since response is generated by your application code using the input provided. If input is sanitized, response will be clean as well(unless you have some issue with the business logic itself). But what you should do is to send the exact data you want. Meaning instead of sending data object directly(which is most likely db query result), you should send specific fields that you expect user to consume, like:

res.json({ 
data: {
key1: value1,
key2: value2
} })

This ensures that user only gets the data you expect them to get. This is especially important if you are developing public api. This way you will also not leak any unnecessary metadata to the client.

Answer 2

In your Node.js Express application, while using express-xss-sanitizer is a good step for sanitizing incoming requests, it's also important to consider sanitizing the response data, especially if it includes user-generated content or data from untrusted sources. XSS vulnerabilities can arise not only from processing user inputs but also from how data is outputted to the client.

Sanitizing response data helps in scenarios where the data being sent to the client could contain malicious scripts. This is particularly crucial if your application includes functionalities like user comments, forums, or any feature where data from one user is shown to others.

You can use libraries like xss to sanitize your response data. Here's a simple example:

const xss = require('xss');

//... your existing code ...

res.jsonp({
  success: true,
  data: xss(responseBody.data), // Sanitize the response data
});

This method ensures that any potentially harmful scripts embedded in responseBody.data are neutralized before being sent to the client. Remember, it's important to sanitize data at the point where it's outputted, not just where it's inputted.

For further reading and best practices on XSS prevention, refer to the OWASP XSS Prevention Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html.