Can injection still be an issue if all the database operations are done through Mongoose?
Like the article mentioned the problem arises when the users doesn't send a string like'bergur' and 'myawesomepassword' but instead sends {"$ne": null}
for usernames and passwords.
If you create a schema and define username and password as strings, then Mongoose will convert it to string and you avoid the problem.
Regarding the where injection, mongo-sanitize wouldn't help you there. The solution is simply not to ever use the $where operator
So to simply answer your question:
- No you don't need to use mongo-sanitize
- No explicit injection protection, the protection comes from schemas and models.