C
C#4mo ago
NaAquelo

How to use FieldInterceptors to sanitize String Fields in GraphQL Requests and Responses Using HotCh

I am working on ensuring that all string fields in my GraphQL requests and responses are properly sanitized to prevent XSS attacks using the HotChocolate .NET library. Here is an example of the issue I am trying to address: 
mutation NewCustomer {
    createNewCustomer(name = "<script>alert('xss')</script>") {
        customerId
        customerName
    }
}
mutation NewCustomer {
    createNewCustomer(name = "<script>alert('xss')</script>") {
        customerId
        customerName
    }
}
I have attempted two approaches so far without success: 1.) Custom Middleware Approach: I tried to create a custom middleware to sanitize inputs. However, I encountered issues because the HttpContext body contains a JSON string of the GraphQL query or response, not the actual GraphQLRequest object. Processing the raw JSON string seems impractical due to the complexity of the GraphQL query structure and the potential for numerous edge cases. 2.) TypeInterceptor Approach: I considered using a TypeInterceptor, but I am unable to find any documentation on how to implement this effectively after some google searches and on the HotChocolate website. The few available resources I am able to find are outdated, and I am struggling to apply TypeInterceptors to sanitize fields properly. I am seeking guidance on the following: Documentation: Where can I find up-to-date documentation or examples on using TypeInterceptors with HotChocolate for sanitization purposes? Recommendations: What is the best approach to sanitize string fields across all GraphQL objects, preferably through middleware or interceptors, to simplify the implementation that can be easily registered during project startup? Thank you.
1 Reply
Omnissiah
Omnissiah4mo ago
you really have to do sanitization by hand? i would have thought it would be more automatized
Want results from more Discord servers?
Add your server