1.0.2

README.md

@@ -1,5 +1,5 @@
 # security
-[![version 1.0.1](https://img.shields.io/badge/pub-v1.0.1-brightgreen.svg)](https://pub.dartlang.org/packages/angel_security)
+[![version 1.0.2](https://img.shields.io/badge/pub-v1.0.2-brightgreen.svg)](https://pub.dartlang.org/packages/angel_security)
 [![build status](https://travis-ci.org/angel-dart/security.svg)](https://travis-ci.org/angel-dart/security)
 
 Angel middleware designed to enhance application security by patching common Web security

lib/src/sanitize.dart

@@ -10,7 +10,7 @@ final Map<Pattern, String> DEFAULT_SANITIZERS = {
 /// Mitigates XSS risk by sanitizing user HTML input.
 ///
 /// You can also provide a Map of patterns to [replace].
-/// 
+///
 /// You can sanitize the [body] or [query] (both `true` by default).
 RequestMiddleware sanitizeHtmlInput(
     {bool body: true,
@@ -19,8 +19,12 @@ RequestMiddleware sanitizeHtmlInput(
   var sanitizers = {}..addAll(DEFAULT_SANITIZERS)..addAll(replace ?? {});
 
   return (RequestContext req, res) async {
-    if (body) _sanitizeMap(await req.lazyBody(), sanitizers);
-    if (query) _sanitizeMap(await req.lazyQuery(), sanitizers);
+    if (body) {
+      await req.parse();
+      _sanitizeMap(req.body, sanitizers);
+    }
+
+    if (query) _sanitizeMap(req.query, sanitizers);
     return true;
   };
 }

pubspec.yaml

@@ -1,5 +1,5 @@
 name: angel_security
-version: 1.0.1
+version: 1.0.2
 description: Angel middleware designed to enhance application security by patching common Web security holes.
 author: Tobe O <thosakwe@gmail.com>
 environment:

test/hooks_test.dart

@@ -29,7 +29,7 @@ main() {
       ..beforeIndexed.listen(hooks.queryWithCurrentUser())
       ..beforeCreated.listen(hooks.hashPassword());
 
-    app.service('artists')
+    app.service('artists') as HookedService
       ..beforeIndexed.listen(hooks.restrictToAuthenticated())
       ..beforeRead.listen(hooks.restrictToOwner())
       ..beforeCreated.listen(hooks.associateCurrentUser());

test/sanitize_test.dart

@@ -14,10 +14,9 @@ main() async {
   TestClient client;
 
   setUp(() async {
-    app = new Angel()
-      ..chain(validate(untrustedSchema))
-          .chain(sanitizeHtmlInput())
-          .post('/untrusted', (RequestContext req, ResponseContext res) async {
+    app = new Angel();
+    app.chain([validate(untrustedSchema), sanitizeHtmlInput()])
+      ..post('/untrusted', (RequestContext req, ResponseContext res) async {
         String untrusted = req.body['html'];
         res
           ..contentType = ContentType.HTML
@@ -30,8 +29,7 @@ main() async {
             <body>$untrusted</body>
           </html>''');
       })
-      ..chain(validate(untrustedSchema)).post('/attribute',
-          (RequestContext req, ResponseContext res) async {
+      ..post('/attribute', (RequestContext req, ResponseContext res) async {
         String untrusted = req.body['html'];
         res
           ..contentType = ContentType.HTML
@@ -108,7 +106,7 @@ main() async {
     var response = await client.post('/attribute', body: {'html': xss});
     print(response.body);
     expect(response.body.contains(xss), isFalse);
-    expect(response.body.toLowerCase().contains('javascript:'), isFalse);
+    expect(response.body.toLowerCase().contains(xss), isFalse);
   });
 
   test('style attribute', () async {
@@ -116,6 +114,6 @@ main() async {
     var response = await client.post('/attribute', body: {'html': xss});
     print(response.body);
     expect(response.body.contains(xss), isFalse);
-    expect(response.body.toLowerCase().contains('javascript:'), isFalse);
+    expect(response.body.toLowerCase().contains(xss), isFalse);
   });
 }

test/throttle_test.dart

@@ -27,7 +27,7 @@ main() {
     // First request within the hour is fine
     var response = await client.get('/once-per-hour');
     print(response.body);
-    expect(response, hasBody('OK'));
+    expect(response, hasBody('"OK"'));
 
     // Second request within an hour? No no no!
     response = await client.get('/once-per-hour');
@@ -39,19 +39,19 @@ main() {
     // First request within the minute is fine
     var response = await client.get('/thrice-per-minute');
     print(response.body);
-    expect(response, hasBody('OK'));
+    expect(response, hasBody('"OK"'));
 
 
     // Second request within the minute is fine
     response = await client.get('/thrice-per-minute');
     print(response.body);
-    expect(response.body, hasBody('OK'));
+    expect(response, hasBody('"OK"'));
 
 
     // Third request within the minute is fine
     response = await client.get('/thrice-per-minute');
     print(response.body);
-    expect(response, hasBody('OK'));
+    expect(response, hasBody('"OK"'));
 
     // Fourth request within a minute? No no no!
     response = await client.get('/thrice-per-minute');