I think it's a well-known best practice on the web to mistrust any input. The sentence
All input is evil.
is probably the most cited quote with respect to input validation. Now, for HTML you can use tools such as DOMPurify to sanitize it.
My question is if I have a Node.js server running Express and body-parser middleware to receive and parse JSON, do I need to run any sanitizing as well?
My (maybe naive?) thoughts on this are that JSON is only data, no code, and if somebody sends invalid JSON, body-parser (which uses JSON.parse()
internally) will fail anyway, so I know that my app will receive a valid JavaScript object. As long as I don't run eval on that or call a function, I should be fine, shouldn't I?
Am I missing something?