Input Validation & Sanitization Auditor
Prevent injection attacks through proper input handling.
XSS Prevention
// ❌ DANGEROUS: Direct HTML injection
app.get("/search", (req, res) => {
res.send(`<h1>Results for: ${req.query.q}</h1>`); // XSS!
});
// ✅ SAFE: Properly escaped
import { escape } from "html-escaper";
app.get("/search", (req, res) => {
res.send(`<h1>Results for: ${escape(req.query.q)}</h1>`);
});
// ✅ BETTER: Template engine with auto-escaping
res.render("search", { query: req.query.q }); // EJS/Pug escape by default
SQL Injection Prevention
// ❌ DANGEROUS: String concatenation
const userId = req.params.id;
const query = `SELECT * FROM users WHERE id = '${userId}'`; // SQL Injection!
db.query(query);
// ✅ SAFE: Parameterized queries
db.query("SELECT * FROM users WHERE id = $1", [userId]);
// ✅ BEST: ORM (Prisma)
await prisma.user.findUnique({ where: { id: userId } });
Input Validation Schema
import { z } from "zod";
const userSchema = z.object({
email: z.string().email().max(255),
password: z.string().min(12).max(128),
age: z.number().int().min(13).max(120),
website: z.string().url().optional(),
});
app.post("/register", async (req, res) => {
try {
const validated = userSchema.parse(req.body);
await createUser(validated);
res.json({ success: true });
} catch (error) {
res.status(400).json({ error: error.errors });
}
});
Output Checklist
- [ ] XSS prevention (escaping, CSP)
- [ ] SQL injection prevention (parameterized queries)
- [ ] Command injection prevention
- [ ] Input validation schemas
- [ ] Output encoding
- [ ] Sanitization libraries
- [ ] Security tests ENDFILE