---
name: sanitizing-user-inputs
description: Sanitizing and validating user input to prevent XSS, injection attacks, and security vulnerabilities in TypeScript applications
---
# Security: Input Validation and Sanitization
**Purpose:** Prevent security vulnerabilities by properly validating and sanitizing all user input, preventing XSS, SQL injection, command injection, and other attack vectors.
**When to use:** Any time you process user input, API requests, URL parameters, form data, file uploads, or any external data source.
## Core Security Principles
### 1. Never Trust User Input
**All user input is potentially malicious until proven safe.**
This includes:
- Form submissions
- URL query parameters
- Request headers
- Cookies
- File uploads
- WebSocket messages
- GraphQL queries
- API request bodies
### 2. Validate Then Sanitize
**Two-step process:**
1. **Validation:** Check if input matches expected format/type
2. **Sanitization:** Remove or escape dangerous characters
**Never sanitize without validating first** - sanitization can hide malicious patterns.
### 3. Allowlist Over Blocklist
**Allowlist (good):** Accept only known-safe inputs
```typescript
const validRoles = ['admin', 'user', 'guest'] as const;
if (!validRoles.includes(role)) {
throw new ValidationError('Invalid role');
}
```
**Blocklist (bad):** Try to block known-bad inputs
```typescript
if (input.includes('';
document.innerHTML = userInput;
```
This executes the script in the user's browser, potentially:
- Stealing cookies/session tokens
- Performing actions as the user
- Defacing the page
- Redirecting to phishing sites
### Preventing XSS in TypeScript/React
**React (safe by default):**
```typescript
function UserProfile({ username }: { username: string }) {
return {username}
;
}
```
React automatically escapes `{username}`. This is safe even if `username` contains `