Skip to content

Q&A: Input Validation and Sanitization of End User Messages

Question

How are we performing input validation and sanitization of messages coming via end user?

Tech Lead's Answer

All messages received from end users are validated and sanitized at the API gateway and backend service layers. Validation includes checking for message length, allowed characters, and format. Sanitization removes or escapes potentially dangerous content (e.g., scripts, HTML tags) to prevent injection attacks and ensure safe processing by downstream systems, including LLMs.

Recommendation

Maintain strict input validation and sanitization for all user-supplied data. Regularly update validation rules to address new threats.

Risk

If input is not properly validated or sanitized, attackers could exploit injection vulnerabilities, leading to XSS, LLM prompt injection, or backend compromise.

Mitigation

  • Enforce validation and sanitization at all entry points.
  • Use well-maintained libraries for sanitization.
  • Monitor for validation failures and suspicious input patterns.

Incident Response Plan

  • Block and log malicious input attempts.
  • Patch validation/sanitization gaps.
  • Notify security team and affected partners.