Sign Up for Free

RunKit +

Try any Node.js package right in your browser

This is a playground to test code. It runs a full Node.js environment and already has all of npm’s 400,000 packages pre-installed, including express-mongo-sanitize with all npm packages installed. Try it out:

var expressMongoSanitize = require("express-mongo-sanitize")

This service is provided by RunKit and is not affiliated with npm, Inc or the package authors.

express-mongo-sanitize v1.3.2

Sanitize your express payload to prevent MongoDB operator injection.

Express Mongoose Sanitize

Express 4.x middleware which sanitizes user-supplied data to prevent MongoDB Operator Injection.

Build Status npm version Dependency Status devDependency Status


npm install express-mongo-sanitize


Add as a piece of express middleware, before defining your routes.

var express = require('express'),
    bodyParser = require('body-parser'),
    mongoSanitize = require('express-mongo-sanitize');

var app = express();

app.use(bodyParser.urlencoded({extended: true}));

// To remove data, use:

// Or, to replace prohibited characters with _, use:
  replaceWith: '_'

You can also bypass the middleware and use the module directly:

var mongoSanitize = require('express-mongo-sanitize');

var payload = {...};

// Remove any keys containing prohibited characters

// Replace any prohibited characters in keys
mongoSanitize.sanitize(payload, {
  replaceWith: '_'

// Check if the payload has keys with prohibited characters
var hasProhibited = mongoSanitize.has(payload);


This module searches for any keys in objects that begin with a $ sign or contain a ., from req.body, req.query or req.params. It can then either:

  • completely remove these keys and associated data from the object, or
  • replace the prohibited characters with another allowed character.

The behaviour is governed by the passed option, replaceWith. Set this option to have the sanitizer replace the prohibited characters with the character passed in.

See the spec file for more examples.


Object keys starting with a $ or containing a . are reserved for use by MongoDB as operators. Without this sanitization, malicious users could send an object containing a $ operator, or including a ., which could change the context of a database operation. Most notorious is the $where operator, which can execute arbitrary JavaScript on the database.

The best way to prevent this is to sanitize the received data, and remove any offending keys, or replace the characters with a 'safe' one.


Inspired by mongo-sanitize.



RunKit is a free, in-browser JavaScript dev environment for prototyping Node.js code, with every npm package installed. Sign up to share your code.
Sign Up for Free