Escaping HTML

While the recommended way to escape HTML is to use one of the built-in output sanitization options in the API, for convenience, @joystick.js/node offers a standalone named export of its HTML escaping function:

import joystick, { escape_html } from '@joystick.js/node';

const getters = {
  input: {
    name: {
      type: 'string',
      required: true,
    },
    description: {
      type: 'string',
      required: true,
    },
  },
  get: (input = {}) => {
    await process.databases.mongodb.collection('products').insertOne({
      _id: joystick.id(),
      name: escape_html(input?.title),
      description: escape_html(input?.description),
    });
  },
};

export default getters;

The escape_html() method is helpful for pre-sanitizing user input before it hits your database. This avoids the need for implementing output sanitization which can help to give a potential performance boost and avoid accidental rendering of unsanitized output.