[{"data":1,"prerenderedAt":403},["ShallowReactive",2],{"blog-prompts/sanitize-user-input":3},{"id":4,"title":5,"body":6,"category":382,"date":383,"dateModified":384,"description":385,"draft":386,"extension":387,"faq":388,"featured":386,"headerVariant":389,"image":388,"keywords":388,"meta":390,"navigation":391,"ogDescription":392,"ogTitle":388,"path":393,"readTime":388,"schemaOrg":394,"schemaType":395,"seo":396,"sitemap":397,"stem":398,"tags":399,"twitterCard":401,"__hash__":402},"blog/blog/prompts/sanitize-user-input.md","Sanitize User Input with AI Prompts",{"type":7,"value":8,"toc":372},"minimark",[9,16,21,24,98,102,110,163,173,177,180,231,235,250,293,302,318,322,325,346,360],[10,11,12],"tldr",{},[13,14,15],"p",{},"Never trust user input. Validate on client for UX, validate on server for security. Use schema validation (Zod, Yup), sanitize for the output context, and reject rather than try to fix malformed input. These prompts help you implement proper input handling.",[17,18,20],"h2",{"id":19},"schema-validation-setup","Schema Validation Setup",[13,22,23],{},"Use this prompt to set up Zod schema validation for all your forms and API endpoints. Your AI will generate reusable field validators, composable form schemas, server-side middleware, and TypeScript type inference from your schemas.",[25,26,28,31,38,41,60,63,78,81,95],"prompt-box",{"title":27},"Add Zod Validation",[13,29,30],{},"Set up schema-based input validation with Zod.",[13,32,33,34],{},"Framework: ",[35,36,37],"span",{},"Next.js/Express/tRPC",[13,39,40],{},"For each form/endpoint, create schemas that:",[42,43,44,48,51,54,57],"ol",{},[45,46,47],"li",{},"Define expected shape of input",[45,49,50],{},"Validate types (string, number, boolean)",[45,52,53],{},"Check constraints (min, max, regex)",[45,55,56],{},"Transform data as needed",[45,58,59],{},"Provide clear error messages",[13,61,62],{},"Example schema for user registration:",[64,65,66,69,72,75],"ul",{},[45,67,68],{},"email: valid email format",[45,70,71],{},"password: 8+ chars, not common password",[45,73,74],{},"username: 3-20 chars, alphanumeric only",[45,76,77],{},"age: optional, number 13-120",[13,79,80],{},"Create:",[64,82,83,86,89,92],{},[45,84,85],{},"Reusable field validators (email, phone, url)",[45,87,88],{},"Form schemas that compose field validators",[45,90,91],{},"Server-side validation middleware",[45,93,94],{},"Type inference for TypeScript",[13,96,97],{},"Show how to share schemas between client and server.",[17,99,101],{"id":100},"server-side-validation","Server-Side Validation",[13,103,104,105,109],{},"Copy this prompt to add server-side input validation middleware to every API route. Your AI will create a ",[106,107,108],"code",{},"validateBody"," middleware function with schema enforcement, clear 400 error responses, and validation for query params, path params, and file uploads.",[25,111,113,116,119,122,136,143,146,149],{"title":112},"Validate API Input",[13,114,115],{},"Add server-side input validation to my API routes.",[13,117,118],{},"Current problem: API accepts any input without validation",[13,120,121],{},"For each endpoint:",[42,123,124,127,130,133],{},[45,125,126],{},"Define expected input schema",[45,128,129],{},"Validate before processing",[45,131,132],{},"Return 400 with clear errors if invalid",[45,134,135],{},"Never trust client validation alone",[13,137,138,139,142],{},"Implementation for ",[35,140,141],{},"Next.js API/Express",":",[13,144,145],{},"// Middleware approach\nconst validateBody = (schema) => (req, res, next) => {\nconst result = schema.safeParse(req.body);\nif (!result.success) {\nreturn res.status(400).json({ errors: result.error.flatten() });\n}\nreq.validatedBody = result.data;\nnext();\n};",[13,147,148],{},"Also validate:",[64,150,151,154,157,160],{},[45,152,153],{},"Query parameters",[45,155,156],{},"URL path parameters",[45,158,159],{},"Headers (auth tokens, content-type)",[45,161,162],{},"File uploads (type, size)",[164,165,166],"warning-box",{},[13,167,168,172],{},[169,170,171],"strong",{},"Client validation is for UX only:"," Attackers can bypass your JavaScript. Every input must be validated server-side. Client validation just makes the user experience better.",[17,174,176],{"id":175},"sanitize-html-content","Sanitize HTML Content",[13,178,179],{},"This prompt asks your AI to set up DOMPurify-based HTML sanitization for user-generated rich text content. You'll get a configured sanitizer with an allowlist of safe tags and attributes, plus guidance on sanitizing both at input and output time.",[25,181,183,186,189,192,195,214,217,228],{"title":182},"Sanitize User HTML",[13,184,185],{},"Sanitize user-provided HTML content safely.",[13,187,188],{},"Use case: Comments, posts, or profiles with rich text",[13,190,191],{},"Using DOMPurify (recommended):",[13,193,194],{},"const DOMPurify = require('dompurify');\nconst { JSDOM } = require('jsdom');\nconst window = new JSDOM('').window;\nconst purify = DOMPurify(window);",[13,196,197,198,201,202,205,206,209,210,213],{},"const sanitize = (dirty) => {\nreturn purify.sanitize(dirty, {\nALLOWED_TAGS: ",[35,199,200],{},"'p', 'b', 'i', 'em', 'strong', 'a', 'ul', 'ol', 'li', 'br'",",\nALLOWED_ATTR: ",[35,203,204],{},"'href'",",\nFORBID_TAGS: ",[35,207,208],{},"'script', 'style', 'iframe', 'form', 'input'",",\nFORBID_ATTR: ",[35,211,212],{},"'onclick', 'onerror', 'onload', 'style'","\n});\n};",[13,215,216],{},"Sanitize:",[64,218,219,222,225],{},[45,220,221],{},"On input (before storing)",[45,223,224],{},"On output (before rendering)",[45,226,227],{},"Both is safest",[13,229,230],{},"Never use regex to strip HTML tags - use a proper parser.",[17,232,234],{"id":233},"validate-urls-and-links","Validate URLs and Links",[13,236,237,238,241,242,245,246,249],{},"Use this prompt to generate safe URL validation that blocks ",[106,239,240],{},"javascript:",", ",[106,243,244],{},"data:",", and ",[106,247,248],{},"file:"," protocol attacks. Your AI will create a validation function with protocol allowlisting, optional domain restrictions, and safe redirect handling.",[25,251,253,256,259,273,276,279,282],{"title":252},"Safe URL Handling",[13,254,255],{},"Validate user-provided URLs to prevent attacks.",[13,257,258],{},"Threats:",[64,260,261,264,267,270],{},[45,262,263],{},"javascript: URLs (XSS)",[45,265,266],{},"data: URLs (XSS)",[45,268,269],{},"file: URLs (local file access)",[45,271,272],{},"Open redirect to malicious sites",[13,274,275],{},"Safe URL validation:",[13,277,278],{},"function isValidUrl(input) {\ntry {\nconst url = new URL(input);\n// Only allow http and https\nif (!['http:', 'https:'].includes(url.protocol)) {\nreturn false;\n}\n// Optional: Allowlist of domains\n// if (!allowedDomains.includes(url.hostname)) return false;\nreturn true;\n} catch {\nreturn false;\n}\n}",[13,280,281],{},"For redirects:",[64,283,284,287,290],{},[45,285,286],{},"Use allowlist of permitted redirect destinations",[45,288,289],{},"Or only allow relative URLs (/path, not //evil.com)",[45,291,292],{},"Never redirect to user-provided absolute URLs",[294,295,296],"tip-box",{},[13,297,298,301],{},[169,299,300],{},"Pro tip:"," Use TypeScript with Zod for end-to-end type safety. Your validated data gets the correct types automatically, catching errors at compile time.",[303,304,305,312],"faq-section",{},[306,307,309],"faq-item",{"question":308},"Should I sanitize on input or output?",[13,310,311],{},"Output is more important because context matters. But sanitizing on input too provides defense in depth. Store data in a clean form, then encode appropriately for each output context.",[306,313,315],{"question":314},"What's the difference between validation and sanitization?",[13,316,317],{},"Validation checks if input matches expected format and rejects if not. Sanitization modifies input to remove dangerous content. Prefer validation (reject bad input) over sanitization (fix bad input).",[17,319,321],{"id":320},"further-reading","Further Reading",[13,323,324],{},"Want to understand the vulnerability before fixing it? These guides explain what's happening and why.",[64,326,327,334,340],{},[45,328,329],{},[330,331,333],"a",{"href":332},"/blog/how-to/validate-user-input","Input validation guide",[45,335,336],{},[330,337,339],{"href":338},"/blog/vulnerabilities/sql-injection","SQL injection prevention",[45,341,342],{},[330,343,345],{"href":344},"/blog/vulnerabilities/exposed-api-keys","Understanding exposed API keys",[347,348,349,355],"related-articles",{},[350,351],"related-card",{"description":352,"href":353,"title":354},"Prevent script injection","/blog/prompts/fix-xss-vulnerabilities","Fix XSS Vulnerabilities",[350,356],{"description":357,"href":358,"title":359},"Form validation patterns","/blog/prompts/validate-client-input","Validate Client Input",[361,362,365,369],"cta-box",{"href":363,"label":364},"/","Start Free Scan",[17,366,368],{"id":367},"find-input-validation-gaps","Find Input Validation Gaps",[13,370,371],{},"Scan your API for endpoints missing validation.",{"title":373,"searchDepth":374,"depth":374,"links":375},"",2,[376,377,378,379,380,381],{"id":19,"depth":374,"text":20},{"id":100,"depth":374,"text":101},{"id":175,"depth":374,"text":176},{"id":233,"depth":374,"text":234},{"id":320,"depth":374,"text":321},{"id":367,"depth":374,"text":368},"prompts","2026-02-24","2026-03-06","AI prompts to sanitize and validate user input. Prevent injection attacks by properly handling form data, API inputs, and file uploads.",false,"md",null,"cyan",{},true,"AI prompts to properly sanitize and validate all user input.","/blog/prompts/sanitize-user-input","[object Object]","BlogPosting",{"title":5,"description":385},{"loc":393},"blog/prompts/sanitize-user-input",[400],"Frontend","summary_large_image","1K5TNtWjhMnVcdnM1if_VqEKZT1H2O-jiTo_3Tjnelc",1775843938183]