Is there a way to sanitise request inputs using zod?

[SandeepGamot]

Hey everyone, I'm new to zod.

I'm wondering If is it possible to sanitize parsed requests using the .transform() method in zod.

For example: let's say I have a /login route where user needs to input email and password. Which will be sent into the body of the request. Now I can parse the input using zod but I want to sanitize them before letting my server read and start executing commands using those inputs.

I'm open to using any other packages to sanitize inputs, if it works well with zod.

[nullndr]

You can use the .transform() method with any sanitization function on the schema:

const s = z.object({ email: z.string(), pass: z.string() }).transform(v => {
  return {
    email: sanitize(v.email),
    pass: sanitize(v.pass),
  }
})

[Fritze1602]

Thank you for your solution. But I want to sanitize before I validate. Because of length checks etc. Its more interesting if the sanitized string meets my Zod conditions. Or am I wrong?

[JacobWeisenburger]

try something like this:

const schema = z.object( {
    email: z.string(),
    pass: z.string()
} ).transform( v => ( {
    email: sanitize( v.email ),
    pass: sanitize( v.pass ),
} ) ).pipe(
    z.object( {
        email: z.string().max( 5 ),
        pass: z.string().max( 5 )
    } )
)

If you found my answer satisfactory, please consider supporting me. Even a small amount is greatly appreciated. Thanks friend! 🙏
https://github.com/sponsors/JacobWeisenburger

[aravsanj]

Thank you for your solution. But I want to sanitize before I validate. Because of length checks etc. Its more interesting if the sanitized string meets my Zod conditions. Or am I wrong?

I think you should validate first. Because validation is used to check the user's input format.

Sanitization could change how the input looks. Since its purpose is to prevent injection attacks.

If your user's input doesn't match the schema, you should probably reject it before sanitizing.

You can validate / sanitize in frontend as well so you can make sure your regular users are sending in appropriate data.

[nullndr]

Sanification in the frontend is not a good idea since it would be sufficient to forge a request with invalid data.

Always validate and sanitize the data you receive in the server.

However it is correct to reject data that have not passed the validation before sanitification because it is probably a malformed one, take the following example:

const sanitizeInput = (input: strin) => {
  ...
}

const schema = z.object({
  email: z.string(),
}).transform(({ email }) => ({ email: sanitizeInput(email) }));

If the input from the body of a POST request is { email: null } does it even make sense the call to sanitizeInput()? In this case the transform() method would not be called, because the schema validation would fail before, but it's good to show that you have to make sure the data you are receiving is the one you are expecting to work with.

[sbeben]

good day, sir
i am a bit confused, because, correct me if i'm wrong, if the request contains some malicious script with escape mechanisms, than it may kick in during the .string() validation, so, in this case, sanitisation is already pointless, no?

[gkatsanos]

so one needs an external/other function/library to sanitize, transform() by itself won't do it?

[nullndr]

The transform() method is just to transform an input value A in another value B, you can think of it like the map() method.

Zod itself is not about user input sanification, but just input validation.

[fzn0x]

Try this

import { z } from "zod";

const escapeHtml = (text: string) => {
  const map: Record<string, string> = {
    "<": "&lt;",
    ">": "&gt;",
    "&": "&amp;",
    "'": "&#39;",
    '"': "&quot;",
    "/": "&#47;",
  };
  return text.replace(/[<>&'"\/]/g, (char: string): string => map[char]);
};

const safeHtmlString = z.string().transform((str) => escapeHtml(str));

// Example Usage
try {
  const safeText = safeHtmlString.parse('<script>alert("hi")</script>');
  console.log(safeText); // &lt;script&gt;alert(&quot;hi&quot;)&lt;/script&gt;
} catch (error) {
  console.error(error);
}

[codeBelt]

I wanted to share what I use in our codebase.

import {type z} from 'zod';

/**
 * Enhances a Zod schema by providing a default value for inputs that may be null or undefined.
 *
 * Unlike the `.default()` method, which only applies when a key is missing, this function
 * ensures that nullish values (null or undefined) are also handled appropriately, providing
 * a consistent output by transforming them into the given default value.
 *
 * @example
 *    const ModelSchema = z.object({
 *      title: z.string(),
 *      userName: addDefaultValue(z.string(), 'Anonymous'),
 *      tags: addDefaultValue(z.array(z.string()), []),
 *      optionalComment: addDefaultValue(z.string(), ''),
 *    });
 */
export function addDefaultValue<T>(schema: z.ZodType<T>, defaultValue: T) {
  return schema.nullish().transform((value) => value ?? defaultValue) as z.ZodType<T>;

  /* // todo: should we validate the defaultValue data?
  return schema
    .nullish()
    .transform((value) => value ?? defaultValue)
    .pipe(schema) as z.ZodType<T>;
  */
}