Skip to content

Commit c2be807

Browse files
analog-nicoanalog-nico
committed
Version 0.1.2
1 parent 4daa45d commit c2be807

2 files changed

Lines changed: 36 additions & 1 deletion

File tree

README.md

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -93,6 +93,37 @@ req: {
9393

9494
Checking `req.body` may be turned off by using `app.use(hpp({ checkBody: false }))`.
9595

96+
## Whitelisting Specific Parameters
97+
98+
The `whitelist` option allows to specify parameters that shall not be touched by HPP. Usually specific parameters of a certain route are intentionally used as arrays. For that use the following approach that involves multiple HPP middlewares:
99+
100+
``` js
101+
// Secure all routes at first.
102+
// You could add separate HPP middlewares to each route individually but the day will come when you forget to secure a new route.
103+
app.use(hpp());
104+
105+
// Add a second HPP middleware to apply the whitelist only to this route.
106+
app.use('/search', hpp({ whitelist: [ 'filter' ] }));
107+
```
108+
109+
```
110+
GET /search?package=HPP&package=Helmet&filter=nodejs&filter=iojs
111+
112+
=>
113+
114+
req: {
115+
query: {
116+
package: 'HPP',
117+
filter: [ 'nodejs', 'iojs' ], // Still an array
118+
},
119+
queryPolluted: {
120+
package: [ 'HPP', 'Helmet' ]
121+
}
122+
}
123+
```
124+
125+
The whitelist works for both `req.query` and `req.body`.
126+
96127
## Contributing
97128

98129
To set up your development environment for HPP:
@@ -109,6 +140,10 @@ If you want to debug a test you should use `gulp test-without-coverage` to run a
109140

110141
## Change History
111142

143+
- v0.1.2 (2015-05-18)
144+
- Added [whitelist feature](#whitelisting-specific-parameters)
145+
*Thanks to @avaly for suggesting this in [issue #1](https://github.com/analog-nico/hpp/issues/1)*
146+
- Updated dependencies
112147
- v0.1.1 (2015-04-16)
113148
- Removed two closures
114149
- Updated lodash

package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
{
22
"name": "hpp",
3-
"version": "0.1.1",
3+
"version": "0.1.2",
44
"description": "Express middleware to protect against HTTP Parameter Pollution attacks",
55
"keywords": [
66
"hpp",

0 commit comments

Comments
 (0)