Protect Multiple Text Inputs from XXE Attacks in Node.JS

XML External Entity (XXE) attacks target a specific vulnerability that occurs within an XML parser; since a large amount of web applications leverage XML in their design, they are all susceptible to these threats by default. Since basic anti-virus software doesn’t protect against these niche attacks, it can be helpful to integrate some type of security to ensure your application doesn’t fall prey to XXE tactics. In this brief tutorial, we will demonstrate how you can use an API in Node.JS to automatically check multiple text inputs for XXE attacks in batch.

Let’s begin the process by running this command to install the client:

npm install cloudmersive-validate-api-client --save

Or, add this snippet to your package.json:

"dependencies": {
    "cloudmersive-validate-api-client": "^1.3.9"
  }

At this point, we’re ready to call the function with the following code:

var CloudmersiveValidateApiClient = require('cloudmersive-validate-api-client');
var defaultClient = CloudmersiveValidateApiClient.ApiClient.instance;
// Configure API key authorization: Apikey
var Apikey = defaultClient.authentications['Apikey'];
Apikey.apiKey = 'YOUR API KEY';
var apiInstance = new CloudmersiveValidateApiClient.TextInputApi();
var request = new CloudmersiveValidateApiClient.XxeDetectionBatchRequest(); // XxeDetectionBatchRequest |
var callback = function(error, data, response) {
  if (error) {
    console.error(error);
  } else {
    console.log('API called successfully. Returned data: ' + data);
  }
};
apiInstance.textInputCheckXxeBatch(request, callback);
Be sure to include your batch request inputs as shown in the below example:
{
  "RequestItems": [
    {
      "InputText": "string",
      "AllowInternetUrls": true,
      "KnownSafeUrls": [
        "string"
      ],
      "KnownUnsafeUrls": [
        "string"
      ]
    }
  ]
}

And that’s it!