Why does xss pass?

I

Isaac Clark2018-02-04 15:54:56

XSS

Isaac Clark, 2018-02-04 15:54:56

Why does xss pass?

Hello
, I started learning Node js, in particular Express, and I ran into such a problem that if you specify http: in the form when filling out the form , then the form will make a request.
Why is that, shouldn't Express 4 handle the whole thing?
Code on the server

router.get('/users/:user_id/check', (req, res, next) => {
    const { user_id } = req.params;
   // Идем в базу и проверяем
      .then(isExist => {
        if (isExist) {
          res.status(200)
            .json({ user_id: 'Please enter a unique user ID' });
        } else {
          res.status(200)
            .json({ result: 'valid' });
        }
      })
      .catch(e => next(e));
  });

How to fix this matter? Do escaping in '/users/:user_id/check with replace? but it seems to me that Express should be able to handle such banal things