Description: Several administrative and public search endpoints parse user input strings directly into database query contexts, posing potential injection risks and Cross-Site Scripting (XSS) vectors if returned directly to frontend clients.
Context / Motivation: Tightly validation-checking all inputs at the API boundaries guarantees that malformed inputs are blocked long before they hit internal application execution engines.
Acceptance Criteria:
Description: Several administrative and public search endpoints parse user input strings directly into database query contexts, posing potential injection risks and Cross-Site Scripting (XSS) vectors if returned directly to frontend clients.
Context / Motivation: Tightly validation-checking all inputs at the API boundaries guarantees that malformed inputs are blocked long before they hit internal application execution engines.
Acceptance Criteria:
req.body,req.query,req.params).Technical Pointers: Rely entirely on parameterized queries or ORM safe-execution paradigms instead of constructing query components via raw string concatenation.