Input Validation & Sanitization Auditor

Prevent injection attacks through proper input handling.

XSS Prevention

// ❌ DANGEROUS: Direct HTML injection app.get("/search", (req, res) => { res.send(<h1>Results for: ${req.query.q}</h1>); // XSS! });

// ✅ SAFE: Properly escaped import { escape } from "html-escaper";

app.get("/search", (req, res) => { res.send(<h1>Results for: ${escape(req.query.q)}</h1>); });

// ✅ BETTER: Template engine with auto-escaping res.render("search", { query: req.query.q }); // EJS/Pug escape by default

SQL Injection Prevention

// ❌ DANGEROUS: String concatenation const userId = req.params.id; const query = SELECT * FROM users WHERE id = '${userId}'; // SQL Injection! db.query(query);

// ✅ SAFE: Parameterized queries db.query("SELECT * FROM users WHERE id = $1", [userId]);

// ✅ BEST: ORM (Prisma) await prisma.user.findUnique({ where: { id: userId } });

Input Validation Schema

import { z } from "zod";

const userSchema = z.object({ email: z.string().email().max(255), password: z.string().min(12).max(128), age: z.number().int().min(13).max(120), website: z.string().url().optional(), });

app.post("/register", async (req, res) => { try { const validated = userSchema.parse(req.body); await createUser(validated); res.json({ success: true }); } catch (error) { res.status(400).json({ error: error.errors }); } });

Output Checklist

• XSS prevention (escaping, CSP)

• SQL injection prevention (parameterized queries)

• Command injection prevention

• Input validation schemas

• Output encoding

• Sanitization libraries

• Security tests ENDFILE