Epic: Input Validation & Sanitisation

[Snider]

Overview

Comprehensive input validation and sanitisation across all input vectors: request body, query parameters, route parameters, cookies, and server variables.

Phase 1 — Framework-level

• security(input): sanitise route parameters in Sanitiser middleware #80 — security(input): sanitise route parameters in Sanitiser middleware

Phase 2 — Extensions

• security(trees): validate $model parameter in TreeStatsController #81 — security(trees): validate $model parameter in TreeStatsController
• security(bouncer): review overly permissive bypass patterns #90 — security(bouncer): review overly permissive bypass patterns
• security(input): extend superglobal sanitisation to cookies and server vars #93 — security(input): extend superglobal sanitisation to cookies and server vars

Previously Created (existing)

• Concurrency: Sanitiser preset registration not thread-safe #32

Exit Criteria

All input vectors are sanitised. No unsanitised user input reaches business logic.