Passing a password variable

[razchen]

If you pass a variable that might have a dollar sign then content-filter will throw 403.
Any way to override this? Maybe there should be a possibility of excluding certain variables.

[efkan]

Filtering is performed by using 3 options:

1. bodyBlackList, used for to audit values of the body fields. It takes as string array as paramete and the default value is ['$']. If the form data has $ data under normal conditions, this parameter must be overridden or removed as the following:

• to remove body filtering app.use(filter({bodyBlackList:[null]}))
• to override body filter parameters app.use(filter({bodyBlackList:['#','another']}))

2. urlBlackList, used for to audit incoming URL. It takes as string array as paramete and default values are ['$','{']. If the URL data has $ or { values under normal conditions, this parameter must be overridden or removed as the following:

• to remove URL filtering app.use(filter({urlBlackList:[null]}))
• to override URL filtering app.use(filter({urlBlackList:['word1', 'word2']}))

3. checkNames, used for to evaluating key contents of an object when auditing by using bodyBlackList values. (Objects consist of keys and their values - For example: { 'key': 'value', 'a': 1 }) The default value is true as boolean. If incoming objects might have $ or characters you give in bodyBlackList must be changed as false.

• to stop checkNames of objects app.use(filter({checkNames:false}))

Also the library has another helper options like typeList, methodList and caseSensitive.

Hope this helps you.

[razchen]

Let's say I would want content-filter to filter all content using it's default values but exclude a password variable where there might be a dollar sign passed. How is that possible?

[efkan]

This case makes sense.

I guess you prefer POST method for transmission password value. Therefore $ sign is catched when content filtering according to bodyBlackList values.

This module has not a fieldExclusionList yet but it can be added easily.

And an important note, when fieldExclusionList length increasing, the performans of the system decreases.

However, I don't have enough time to update and test it these days.

If you don't want to wait, I say that solely fieldExclusionList option and a condition must be added before this line. If the key is found in exclusion list do continue to for loop, else buffer += (includeKey ? key : '') + visitNode(obj[key]);.

And then a lot of tests have to be done.

Also PR's are welcomed :)

Reminders for me:
If an exception is provided for a password field, and if the system uses a NoSQL database, it means there will also be an injection risk.
If the system uses a conventional SQL database then is there a reason to filter characters?
On the other hand, developer might prefer filtering swearwords, except password field.

[efkan]

I think this issue is stale and likely it lost its importance.