Escaping HTML

While the recommended way to escape HTML is to use one of the built-in output sanitization options in the API, for convenience, @joystick.js/node offers a standalone named export of its HTML escaping function:

import joystick, { escape_html } from '@joystick.js/node';

const getters = {
  input: {
    product_id: {
      type: 'string',
      required: true,
    },
  },
  get: async (input = {}) => {
    const product = await process.databases.mongodb.collection('products').findOne({
      _id: input?.product_id,
    });
    
    return {
      ...product,
      title: escape_html(product?.title || ''),
      description: escape_html(product?.description || ''),
    }
  },
};

export default getters;

The escape_html() method is helpful for escaping previously-stored user input at retrieval time. This process ensures that once your data is returned to the client and rendered, any malicious code embedded in the data has been sanitized and made safe for display.