Epic: Input Validation & Sanitisation #105
Description
Overview
Comprehensive input validation and sanitisation across all input vectors: request body, query parameters, route parameters, cookies, and server variables.
Phase 1 — Framework-level
- security(input): sanitise route parameters in Sanitiser middleware #80 — security(input): sanitise route parameters in Sanitiser middleware
Phase 2 — Extensions
- security(trees): validate $model parameter in TreeStatsController #81 — security(trees): validate $model parameter in TreeStatsController
- security(bouncer): review overly permissive bypass patterns #90 — security(bouncer): review overly permissive bypass patterns
- security(input): extend superglobal sanitisation to cookies and server vars #93 — security(input): extend superglobal sanitisation to cookies and server vars
Previously Created (existing)
Exit Criteria
All input vectors are sanitised. No unsanitised user input reaches business logic.