xssValidator and Content-Type: multipart/form-data

[MarijnMensinga]

Hi,

In our project we send multipart/form-data to our nuxt server and it seems to interfere with the xssValidator.
If we send any binary in our body we get a BadRequest 400 response originating from the following location:

nuxt-security/src/runtime/server/middleware/xssValidator.ts

Line 35 in 11dc2d5

throw createError(badRequestError)

We think this is because multipart/form-data binary should not be stringified with JSON and then be compared to equality to the original binary input. Are we correct in this train of thought?

What can we do to fix our issue except from disabling the entire xssValidator?

A second question: why is the xssValidator only enabled on POST and GET? We'd expect it to be enabled on at least PATCH as well?

nuxt-security/src/runtime/server/middleware/xssValidator.ts

Line 11 in 11dc2d5

if (['POST', 'GET'].includes(event.node.req.method!)) {

We'd love to hear from you, we really like your project!

[Baroshem]

Hey Buddy,

I am glad that you like it!

Let me answer your questions:

1. why is the xssValidator only enabled on POST and GET? We'd expect it to be enabled on at least PATCH as well -> This is the convention I selected at the very beginning because I thought that you may need XSS validation in GET and POST only. But from what you say, I think it could be beneficial to allow users to pass an array of methods where the XSS validation should work. By default we could still set the POST and GET methods but allow users to pass a custom array of methods. Do you think that it would help?
2. We think this is because multipart/form-data binary should not be stringified with JSON and then be compared to equality to the original binary input. Are we correct in this train of thought? -> Yes you are correct. I think the XSS Validator should be refactored in several places because for now it works in a really basic way.
3. What can we do to fix our issue except from disabling the entire xssValidator? -> You can always disable XSS Validator for certain route only (its not great but you can do it even right now)

export default defineNuxtConfig({
  routeRules: {
    '/my-secret-route': {
      security: {
        xssValidator: false
      }
    }
  }
})

[MarijnMensinga]

Hi Baroshem,

Thanks for you quick response!

1. I think the default could very well include PATCH as well. But if we get the possibiilty to change it ourselfs that would be fine as well
2. Ok :)
3. Ah that is actually a great fix for our case, will implement that

[MarijnMensinga]

Sorry xD didn't mean te close the ticket since the core issue is still here

[Baroshem]

No worries, happened to me too many times ;)

So regarding the contribution, if you are up for it feel free create a branch. work on your solution and create a PR with it. Then I could give you a review.

If you don't feel comfortable designing the new solution by yourself, I can always give you some ideas in terms of how I would see it. Maybe it will help you :)

[Baroshem]

Support for configuring methods for XSS validator was merged in 1.2.0 :)