[P0] SEC.2 - Input Validation & Sanitization

[echetoui]

Effort: 8h | Owner: Backend + Frontend

Tasks

• Add schema validation (Zod or Joi)
• Sanitize all text inputs (DOMPurify)
• Validate file uploads (magic bytes, not just extension)
• Prevent XSS in description field
• Prevent SQL injection in all queries
• Rate limit auth endpoints

Test Coverage

• OWASP Top 10 scenarios
• SQL injection attempts
• XSS payloads in description field
• File type spoofing (fake extension)

Acceptance Criteria

• All OWASP Top 10 scenarios tested and passing
• No console errors for invalid input
• Rate limiting returns 429 status code