ejs | Toolkit to play with custom language extensions | Runtime Evironment library

First of all your data probably isn't saved in database the way you presented. In all likelihood it's stored there without any encoding (as it should be).

EJS in itself, when used correctly, takes care of encoding output for you so that you can safely construct parameterized HTML. But in your case you want to disable this protection to render raw HTML, so yes, you must be careful. There are a couple of security controls at your disposal.

1. DOMPurify

I haven't used the xss library personally, it seems to have a lot of downloads and probably it's not a bad option. But DOMPurify is probably better. It also doesn't require configuration and has built-in support for trusted-types (I'll get to that in a minute).

You would use it twice. First on server-side when the HTML is submitted by the user, and second on client-side when the HTML is rendered by EJS.

If you are serious about security then you will connect anomaly alerts from the server-side purification to your SIEM/SOC etc. Then you will know when someone has attempted an XSS attack on your website.

2. Sandboxed Iframes

Another client-side control that you can implement is sandboxed iframes. Instead of just rendering the HTML on the page, you create an IFRAME, give it a properly configured sandbox attribute, and then set the purified HTML as the content. Now even if something goes wrong with the purification, the malicious HTML would be isolated in its own world.

3. Content Security Policy

The coolest and (when used properly) most effective defence against XSS is CSP. How it works is that you give your website restrictions such as "do not execute scripts", "do not load images", etc. And then you allow the scripts that you do want to execute, and nothing else. Now if an attacker manages to inject a script, link, form, etc. on the page, it will not work because it hasn't been specifically allowed.

I've written about CSP at length here, you will even find specific examples for your case (NodeJS and EJS) with CodeSandbox examples on that article. And in general about XSS protection you can read more here.

Hope this helps!

EJS values can't be modified in JavaScript, but the easiest solution is to convert the EJS object into JSON.

Just cancel it because its version updated

You redirect user to /login route, but you don't have get request for this.

If you have it but not uploaded try this in Seralize Passport

First off, check the heroku docs to see the deployment cycle. Basically, the build script is ran after installing the packages (this is typically for bundling the frontend code but sometimes also for compiling the server code like if you've used TypeScript). Since you don't have any build being done, you should take out that line in your package.json file. (Esentially, what you'd done here was start your server twice)

Also, Heroku has it's own process monitor so no need to use nodemon. Change the start script to node app.js. You could also add a dev script that uses nodemon for your local development, then you'd run it using npm run dev.

So in summary, change the scripts config in your package.json file to below:

To broadcast to all clients in a particular room, just use socket.to(roomId).emit(...). You don't need to use the .broadcast property.

Check whether your codes don't have any warnings. If they have warnings try to fix them and deploy again or ignore them by setting environment variable CI to false. It would look like this:

You have missed the closing quotation mark for the first condition. Try this one,

As Chris G pointed out you need to declare let users = []; outside of the event handler connection.

For an example in app.js using sockets with a express server: