Mike/Kordant
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
Kordant/tasks/web-production/03-input-validation-xss.md
Michael Freno 5214412fff get to prod tasks
2026-05-26 16:06:34 -04:00

2.2 KiB
Raw Permalink Blame History

03. Input Validation & XSS Prevention Audit

meta: id: web-production-03 feature: web-production priority: P1 depends_on: [] tags: [security, validation, production]

objective:

  • Audit and harden all input validation to prevent XSS, injection attacks, and malformed data

deliverables:

  • XSS prevention audit report
  • Input sanitization layer
  • HTML escaping on all user-generated content
  • SQL injection protection verification

steps:

  1. Audit all tRPC routers for input validation gaps:
    • Check web/src/server/api/routers/*.ts for missing valibot schemas
    • Ensure all user inputs have strict type validation
    • Add maxLength constraints to all string inputs
  2. Implement output escaping for user-generated content:
    • Blog posts, user names, alert messages
    • Use DOMPurify or similar on client-side rendering
    • Escape HTML entities server-side before DB storage
  3. Audit database queries for SQL injection:
    • Verify all queries use Drizzle parameterized queries
    • Check raw SQL usage in jobs and services
    • Ensure no string concatenation in SQL
  4. Add content validation for file uploads (if any):
    • MIME type verification
    • File size limits
    • Scan for malware
  5. Implement request body size limits:
    • 1MB max for JSON payloads
    • 10MB max for file uploads
  6. Add tests for malformed input handling

tests:

  • Unit: Test each router with XSS payloads, SQL injection attempts
  • Integration: Submit malicious inputs via API, verify safe handling
  • Security: Run OWASP ZAP or Burp Suite against app

acceptance_criteria:

  • All tRPC inputs have strict valibot validation with bounds
  • User-generated content escaped before rendering
  • No SQL injection vectors in any query
  • XSS payloads rendered as plain text, not executed
  • Request body size limits enforced
  • OWASP ZAP scan shows no high/critical vulnerabilities

validation:

  • Submit <script>alert('xss')</script> in all text fields → rendered safely
  • Submit SQL injection in search fields → no database errors
  • Run npm audit and address all high severity issues

notes:

  • Valibot schemas already in use — expand them with stricter bounds
  • Consider using zod for more complex validation if valibot is limiting
  • Sanitize inputs at API boundary, not just client-side
Reference in New Issue View Git Blame Copy Permalink