In the Reflected and Stored XSS Attacks, we saw how an attacker can inject malicious code into the server and/or database using a form. This is why it’s important to validate and/or sanitize data before it’s submitted to the server.

When we validate data we ensure that the user is not submitting information that doesn’t fit a certain format. Moreover, we can use sanitization in order to reformat data so no malicious code is sent.

In other words, validation checks if the input meets a set of criteria (such as a string contains no standalone single quotation marks), whereas sanitization modifies the input to ensure that it is valid (such as removing single quotes).

There are many packages that help validate user data, and one common package is express-validator. It’s built off of the validator package, and it is recommended for use in express applications. With express-validator, we can verify if a string matches a certain format by importing certain functions such as check:

const { check } = require("express-validator");

Once the function is imported, it can be used as a middleware within our endpoints, to validate any input that’s submitted within objects attached to req (such as data sent in a form through req.body):

app.post("/login", [ check('email').isEmail(), ], (req, res) => {});

In the example above, the email field is sent through a login form and retrieved from req.body. Notice how we’re using an array since we can pass in multiple check‘s for input data.

If the input data is valid, then the rest of the request will be executed and we know that the data passed in is safe and properly formatted.



We’re in the process of building an endpoint to log in users. In order to validate any submitted data, let’s make use of express-validator.

Begin by importing the check function from express-validator at the top of the file.


For the login credentials, users will require to input an email and a password. Let’s start by validating the email.

Scroll down to the "login" endpoint.

Make use of the check function to validate that the email input is formatted correctly using the isEmail function.


For the password, we want to make sure that the password input matches a minimum length.

Make use of the isLength function to ensure that the password input is at least 5 characters in length.

For more information on these other methods, refer to the express-validator documentation

Sign up to start coding

Mini Info Outline Icon
By signing up for Codecademy, you agree to Codecademy's Terms of Service & Privacy Policy.

Or sign up using:

Already have an account?