validateMetadata() is a no-op — user input hits the DB unvalidated

[Otaiki1]

Problem

MetadataService.upsertMetadata() calls validateMetadata(), but the validator body is empty (metadata.service.ts:50-53). Title, description, and category are inserted into the database without length checks, format enforcement, or sanitisation — opening the door to oversized payloads and stored XSS.

Fix

Implement the validator: enforce max lengths, allowlisted categories, and strip/reject dangerous characters before any DB write.

File: backend/src/services/metadata.service.ts:36-54

[Frontman-Code]

@Frontman-Code has applied to work on this issue as part of the Stellar Wave Program's 5th wave.

i will work on it

ℹ️ Repo Maintainers: To accept this application, review their application or assign @Frontman-Code to this issue.

[Vvictor-commits]

@Vvictor-commits has applied to work on this issue as part of the Stellar Wave Program's 5th wave.

please assign this issue to me

ℹ️ Repo Maintainers: To accept this application, review their application or assign @Vvictor-commits to this issue.

[Michealshodipo56]

@Michealshodipo56 has applied to work on this issue as part of the Stellar Wave Program's 5th wave.

i would like to work on this kindly assign me

ℹ️ Repo Maintainers: To accept this application, review their application or assign @Michealshodipo56 to this issue.

[Truphile]

@Truphile has applied to work on this issue as part of the Stellar Wave Program's 5th wave.

Hi @maintainer,

I'm deep in the backend service layer and completely set to fortify this ingestion boundary.

Leaving a data validator completely empty prior to database writes is an immediate security liability. It invites database bloating via oversized payloads, introduces storage-layer denial of service, and opens the door for stored Cross-Site Scripting (XSS) vectors that execute maliciously inside administrative panels or consumer layouts. Having engineered secured backend endpoints and strict data persistence modules before, I know exactly how crucial defensive parameter sanitization is to maintain application state integrity.

ℹ️ Repo Maintainers: To accept this application, review their application or assign @Truphile to this issue.

[mrteeednut007-dotcom]

@mrteeednut007-dotcom has applied to work on this issue as part of the Stellar Wave Program's 5th wave.

I’m interested in tackling this! I have a strong background in smart contract development and full-stack systems, so I'm well-equipped to handle the requirements here. Could you please assign this to me

ℹ️ Repo Maintainers: To accept this application, review their application or assign @mrteeednut007-dotcom to this issue.

[DatboiCaleb]

@DatboiCaleb has applied to work on this issue as part of the Stellar Wave Program's 5th wave.

Hi Maintainer I have read through the fix for this issue and I'm ready to solve this because I'm a well-experienced developer.. Assign me.

ℹ️ Repo Maintainers: To accept this application, review their application or assign @DatboiCaleb to this issue.

[sammycee769]

@sammycee769 has applied to work on this issue as part of the Stellar Wave Program's 5th wave.

i can work on this, and would love to work on this

ℹ️ Repo Maintainers: To accept this application, review their application or assign @sammycee769 to this issue.