feat: sanitize all user inputs to prevent injection attacks

[greatKhalifa-code]

Implements global input sanitization across the backend API to prevent SQL injection and XSS attacks, with enforced
input length limits.

What's changed

• backend/utils/sanitize.ts — Core sanitization utilities:

  • stripXss — removes HTML tags and dangerous patterns (javascript:, data:, on*= event handlers)
  • detectSqlInjection — regex detection of SQL keywords (SELECT, DROP, UNION, DELETE, --, /*, etc.)
  • truncate — enforces MAX_INPUT_LENGTH (10,000 chars) on any string
  • sanitizeValue — composes truncate → SQL check (throws) → XSS strip
  • sanitizeObject — recursively applies sanitization to all string values in objects and arrays

• backend/middleware/sanitize.ts — sanitizeInputs Express middleware that sanitizes req.body, req.query, and
  req.params on every request; returns 400 INVALID_INPUT if SQL injection is detected.

• backend/server/app.ts — sanitizeInputs wired globally after express.json(), before all route handlers. Also wired
  the pre-existing unused communityRouter.

• backend/utils/tests/sanitize.test.ts — 27 passing unit tests.

Acceptance criteria

• ✅ Inputs sanitized — all req.body, req.query, req.params strings are sanitized on every request
• ✅ Attacks prevented — SQL injection returns 400, XSS tags are stripped before data reaches handlers
• ✅ Input length limits — strings truncated to 10,000 characters maximum
  closes #90 Add input sanitization #159

[drips-wave]

@greatKhalifa-code Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits