-
-
Notifications
You must be signed in to change notification settings - Fork 616
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sanitizing arrays loses data except first item #791
Comments
Seeing the same issue in v6.14.5. |
Although |
@fedeci again, if it isn't changed, could you add it to the documentation? The behavior is a matter of taste, but it's surprising and nowhere mentioned. The documentation for |
@favph Sure I will, however to require a minimum array length you can use |
@fedeci another thing regarding the Validator.js adapter: // this is the function used to convert values to string
export function toString(value: any, deep = true): string {
if (Array.isArray(value) && value.length && deep) {
return toString(value[0], false);
} else if (value instanceof Date) {
return value.toISOString();
} else if (value && typeof value === 'object' && value.toString) {
return value.toString();
} else if (value == null || (isNaN(value) && !value.length)) {
return '';
}
return String(value);
} I don't know if this warrants an issue, but I find it suboptimal that a user can easily (by supplying their own E.g. use the example here and: curl 'localhost:8081?username\[0\]=foo&username\[toString\]=bar' |
@favph This is the error returned to me: <pre>TypeError: value.toString is not a function<br> And can be easily be fixed by checking for the type of } else if (value && typeof value === 'object' && typeof value.toString === 'function') { edit: definitely it's not only that, I'm working on this! edit: I have carefully analyzed this behavior and I honestly don't think it needs to be changed because it is not a validation error but a "user error". I mean, if we don't catch errors thrown from |
OTOH this exception is caused by an internal call to an untrusted It's not that express-validator should catch exceptions, but that it should – if possible – avoid this call. Again, thanks for looking into it! |
Hi hi, https://github.com/express-validator/express-validator/releases/tag/v7.0.0 is out with a fix for this 🙂 |
Version: express-validator 6.2.0
Send POST data:
After
sanitizeBody("*").escape()
POST data changed to:
And array data of
genre
lost!The text was updated successfully, but these errors were encountered: