# 03. Input Validation & XSS Prevention Audit

meta:
  id: web-production-03
  feature: web-production
  priority: P1
  depends_on: []
  tags: [security, validation, production]

objective:
- Audit and harden all input validation to prevent XSS, injection attacks, and malformed data

deliverables:
- XSS prevention audit report
- Input sanitization layer
- HTML escaping on all user-generated content
- SQL injection protection verification

steps:
1. Audit all tRPC routers for input validation gaps:
   - Check web/src/server/api/routers/*.ts for missing valibot schemas
   - Ensure all user inputs have strict type validation
   - Add maxLength constraints to all string inputs
2. Implement output escaping for user-generated content:
   - Blog posts, user names, alert messages
   - Use DOMPurify or similar on client-side rendering
   - Escape HTML entities server-side before DB storage
3. Audit database queries for SQL injection:
   - Verify all queries use Drizzle parameterized queries
   - Check raw SQL usage in jobs and services
   - Ensure no string concatenation in SQL
4. Add content validation for file uploads (if any):
   - MIME type verification
   - File size limits
   - Scan for malware
5. Implement request body size limits:
   - 1MB max for JSON payloads
   - 10MB max for file uploads
6. Add tests for malformed input handling

tests:
- Unit: Test each router with XSS payloads, SQL injection attempts
- Integration: Submit malicious inputs via API, verify safe handling
- Security: Run OWASP ZAP or Burp Suite against app

acceptance_criteria:
- All tRPC inputs have strict valibot validation with bounds
- User-generated content escaped before rendering
- No SQL injection vectors in any query
- XSS payloads rendered as plain text, not executed
- Request body size limits enforced
- OWASP ZAP scan shows no high/critical vulnerabilities

validation:
- Submit `<script>alert('xss')</script>` in all text fields → rendered safely
- Submit SQL injection in search fields → no database errors
- Run `npm audit` and address all high severity issues

notes:
- Valibot schemas already in use — expand them with stricter bounds
- Consider using zod for more complex validation if valibot is limiting
- Sanitize inputs at API boundary, not just client-side