Source from repo

NestJS Best Practices

40 prioritized NestJS best practices across architecture, DI, security, performance, testing, and microservices.

kadajettGitHub kadajettSource repo Original GitHub link Publisher page

Files

Skill

n/a

Size

349.2 KB

Entrypoint

SKILL.md

Format

git-repo

Open file

rules/security-sanitize-output.md

Syntax-highlighted preview of this file as included in the skill package.

Rendered Source

markdown140 linesFree

rules/security-sanitize-output.md

1---
2title: Sanitize Output to Prevent XSS
3impact: HIGH
4impactDescription: XSS vulnerabilities can compromise user sessions and data
5tags: security, xss, sanitization, html
6---
7 
8## Sanitize Output to Prevent XSS
9 
10While NestJS APIs typically return JSON (which browsers don't execute), XSS risks exist when rendering HTML, storing user content, or when frontend frameworks improperly handle API responses. Sanitize user-generated content before storage and use proper Content-Type headers.
11 
12**Incorrect (storing raw HTML without sanitization):**
13 
14```typescript
15// Store raw HTML from users
16@Injectable()
17export class CommentsService {
18  async create(dto: CreateCommentDto): Promise<Comment> {
19    // User can inject: <script>steal(document.cookie)</script>
20    return this.repo.save({
21      content: dto.content, // Raw, unsanitized
22      authorId: dto.authorId,
23    });
24  }
25}
26 
27// Return HTML without sanitization
28@Controller('pages')
29export class PagesController {
30  @Get(':slug')
31  @Header('Content-Type', 'text/html')
32  async getPage(@Param('slug') slug: string): Promise<string> {
33    const page = await this.pagesService.findBySlug(slug);
34    // If page.content contains user input, XSS is possible
35    return `<html><body>${page.content}</body></html>`;
36  }
37}
38 
39// Reflect user input in errors
40@Get(':id')
41async findOne(@Param('id') id: string): Promise<User> {
42  const user = await this.repo.findOne({ where: { id } });
43  if (!user) {
44    // XSS if id contains malicious content and error is rendered
45    throw new NotFoundException(`User ${id} not found`);
46  }
47  return user;
48}
49```
50 
51**Correct (sanitize content and use proper headers):**
52 
53```typescript
54// Sanitize HTML content before storage
55import * as sanitizeHtml from 'sanitize-html';
56 
57@Injectable()
58export class CommentsService {
59  private readonly sanitizeOptions: sanitizeHtml.IOptions = {
60    allowedTags: ['b', 'i', 'em', 'strong', 'a', 'p', 'br'],
61    allowedAttributes: {
62      a: ['href', 'title'],
63    },
64    allowedSchemes: ['http', 'https', 'mailto'],
65  };
66 
67  async create(dto: CreateCommentDto): Promise<Comment> {
68    return this.repo.save({
69      content: sanitizeHtml(dto.content, this.sanitizeOptions),
70      authorId: dto.authorId,
71    });
72  }
73}
74 
75// Use validation pipe to strip HTML
76import { Transform } from 'class-transformer';
77 
78export class CreatePostDto {
79  @IsString()
80  @MaxLength(1000)
81  @Transform(({ value }) => sanitizeHtml(value, { allowedTags: [] }))
82  title: string;
83 
84  @IsString()
85  @Transform(({ value }) =>
86    sanitizeHtml(value, {
87      allowedTags: ['p', 'br', 'b', 'i', 'a'],
88      allowedAttributes: { a: ['href'] },
89    }),
90  )
91  content: string;
92}
93 
94// Set proper Content-Type headers
95@Controller('api')
96export class ApiController {
97  @Get('data')
98  @Header('Content-Type', 'application/json')
99  async getData(): Promise<DataResponse> {
100    // JSON response - browser won't execute scripts
101    return this.service.getData();
102  }
103}
104 
105// Sanitize error messages
106@Get(':id')
107async findOne(@Param('id', ParseUUIDPipe) id: string): Promise<User> {
108  const user = await this.repo.findOne({ where: { id } });
109  if (!user) {
110    // UUID validation ensures safe format
111    throw new NotFoundException('User not found');
112  }
113  return user;
114}
115 
116// Use Helmet for CSP headers
117import helmet from 'helmet';
118 
119async function bootstrap() {
120  const app = await NestFactory.create(AppModule);
121 
122  app.use(
123    helmet({
124      contentSecurityPolicy: {
125        directives: {
126          defaultSrc: ["'self'"],
127          scriptSrc: ["'self'"],
128          styleSrc: ["'self'", "'unsafe-inline'"],
129          imgSrc: ["'self'", 'data:', 'https:'],
130        },
131      },
132    }),
133  );
134 
135  await app.listen(3000);
136}
137```
138 
139Reference: [OWASP XSS Prevention](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)
140

Marketplace

Source from repo

NestJS Best Practices

40 prioritized NestJS best practices across architecture, DI, security, performance, testing, and microservices.

kadajettGitHub kadajettSource repo Original GitHub link Publisher page

Files

Skill

n/a

Size

349.2 KB

Entrypoint

SKILL.md

Format

git-repo

Open file

rules/security-sanitize-output.md

Syntax-highlighted preview of this file as included in the skill package.

Rendered Source

markdown140 linesFree

rules/security-sanitize-output.md

1---
2title: Sanitize Output to Prevent XSS
3impact: HIGH
4impactDescription: XSS vulnerabilities can compromise user sessions and data
5tags: security, xss, sanitization, html
6---
7 
8## Sanitize Output to Prevent XSS
9 
10While NestJS APIs typically return JSON (which browsers don't execute), XSS risks exist when rendering HTML, storing user content, or when frontend frameworks improperly handle API responses. Sanitize user-generated content before storage and use proper Content-Type headers.
11 
12**Incorrect (storing raw HTML without sanitization):**
13 
14```typescript
15// Store raw HTML from users
16@Injectable()
17export class CommentsService {
18  async create(dto: CreateCommentDto): Promise<Comment> {
19    // User can inject: <script>steal(document.cookie)</script>
20    return this.repo.save({
21      content: dto.content, // Raw, unsanitized
22      authorId: dto.authorId,
23    });
24  }
25}
26 
27// Return HTML without sanitization
28@Controller('pages')
29export class PagesController {
30  @Get(':slug')
31  @Header('Content-Type', 'text/html')
32  async getPage(@Param('slug') slug: string): Promise<string> {
33    const page = await this.pagesService.findBySlug(slug);
34    // If page.content contains user input, XSS is possible
35    return `<html><body>${page.content}</body></html>`;
36  }
37}
38 
39// Reflect user input in errors
40@Get(':id')
41async findOne(@Param('id') id: string): Promise<User> {
42  const user = await this.repo.findOne({ where: { id } });
43  if (!user) {
44    // XSS if id contains malicious content and error is rendered
45    throw new NotFoundException(`User ${id} not found`);
46  }
47  return user;
48}
49```
50 
51**Correct (sanitize content and use proper headers):**
52 
53```typescript
54// Sanitize HTML content before storage
55import * as sanitizeHtml from 'sanitize-html';
56 
57@Injectable()
58export class CommentsService {
59  private readonly sanitizeOptions: sanitizeHtml.IOptions = {
60    allowedTags: ['b', 'i', 'em', 'strong', 'a', 'p', 'br'],
61    allowedAttributes: {
62      a: ['href', 'title'],
63    },
64    allowedSchemes: ['http', 'https', 'mailto'],
65  };
66 
67  async create(dto: CreateCommentDto): Promise<Comment> {
68    return this.repo.save({
69      content: sanitizeHtml(dto.content, this.sanitizeOptions),
70      authorId: dto.authorId,
71    });
72  }
73}
74 
75// Use validation pipe to strip HTML
76import { Transform } from 'class-transformer';
77 
78export class CreatePostDto {
79  @IsString()
80  @MaxLength(1000)
81  @Transform(({ value }) => sanitizeHtml(value, { allowedTags: [] }))
82  title: string;
83 
84  @IsString()
85  @Transform(({ value }) =>
86    sanitizeHtml(value, {
87      allowedTags: ['p', 'br', 'b', 'i', 'a'],
88      allowedAttributes: { a: ['href'] },
89    }),
90  )
91  content: string;
92}
93 
94// Set proper Content-Type headers
95@Controller('api')
96export class ApiController {
97  @Get('data')
98  @Header('Content-Type', 'application/json')
99  async getData(): Promise<DataResponse> {
100    // JSON response - browser won't execute scripts
101    return this.service.getData();
102  }
103}
104 
105// Sanitize error messages
106@Get(':id')
107async findOne(@Param('id', ParseUUIDPipe) id: string): Promise<User> {
108  const user = await this.repo.findOne({ where: { id } });
109  if (!user) {
110    // UUID validation ensures safe format
111    throw new NotFoundException('User not found');
112  }
113  return user;
114}
115 
116// Use Helmet for CSP headers
117import helmet from 'helmet';
118 
119async function bootstrap() {
120  const app = await NestFactory.create(AppModule);
121 
122  app.use(
123    helmet({
124      contentSecurityPolicy: {
125        directives: {
126          defaultSrc: ["'self'"],
127          scriptSrc: ["'self'"],
128          styleSrc: ["'self'", "'unsafe-inline'"],
129          imgSrc: ["'self'", 'data:', 'https:'],
130        },
131      },
132    }),
133  );
134 
135  await app.listen(3000);
136}
137```
138 
139Reference: [OWASP XSS Prevention](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)
140

NestJS Best Practices

rules/security-sanitize-output.md

Preparing the source view

NestJS Best Practices

rules/security-sanitize-output.md