Input Sanitizer

Input Sanitizer generates comprehensive, defense-first input validation and sanitization layers for APIs and web applications. It follows the principle: validate at the boundary, sanitize before storage, and encode before output.

Validation Strategy

Schema-Based Validation (Type Safety) Generates strict schema definitions using: - **Zod** (TypeScript) — runtime type checking with inferred TypeScript types - **Joi** (Node.js) — flexible validation with detailed error messages - **Pydantic** (Python) — model-based validation with FastAPI integration - **Marshmallow** (Python Flask/DRF) — serialization + validation combined

• Every schema enforces:
• Exact field types (no implicit coercion from string to number)
• Required vs optional fields with `undefined` rejection
• Maximum string lengths to prevent overflow attacks
• Allowed value enumerations where applicable
• Nested object validation recursively

Business Rule Validation Beyond type checking — validates business semantics: - Date ranges (end must be after start) - Cross-field dependencies (shipping address required if order has physical items) - Format validation (email RFC 5321 subset, phone E.164, URL scheme whitelist)

Sanitization Operations

String Sanitization - HTML tag stripping for plain text fields - Whitespace normalization - Unicode normalization to prevent homograph attacks - Path traversal prevention for filename inputs (`../` removal)

File Upload Validation - MIME type verification against file magic bytes (not just extension) - Maximum file size enforcement - Image dimension validation for image uploads - Filename sanitization (special characters, reserved Windows names)

Error Handling

• Generates validation error responses that:
• Are consistent across all endpoints
• Include field-level error details for form feedback
• Never expose internal implementation details
• Use HTTP 422 Unprocessable Entity for validation failures