Safeguard
Tag

input-validation

Safeguard articles tagged "input-validation" — guides, analysis, and best practices for software supply chain and application security.

22 articles

Application Security

NoSQL injection prevention in MongoDB and Mongoose

A single unsanitized query key like $ne can bypass authentication in MongoDB apps — two 2024-2025 Mongoose CVEs show the fix is harder than one middleware package.

Jul 16, 20267 min read
Best Practices

Secure Coding Fundamentals: A No-Jargon Checklist for New Developers

Three habits — validating input, managing secrets, and pinning dependencies — sit behind most preventable breaches, from Log4Shell to the event-stream hack.

Jul 15, 20267 min read
Application Security

Using Jakarta Bean Validation correctly: a defensive walkthrough

Jakarta Bean Validation stops malformed input, not attackers — a 2025 Hibernate Validator EL-injection flaw (CVSS 7.3) shows what goes wrong when teams conflate the two.

Jul 13, 20267 min read
Application Security

Preventing SMTP injection vulnerabilities in email-sending code

A crafted From address turned PHPMailer into a remote code execution bug in 2016 — here's how header injection works and how to stop it.

Jul 13, 20266 min read
Application Security

Safely Parsing Untrusted URLs in Node.js

Node's legacy url.parse() is deprecated (DEP0169), and parser mismatches between it, the WHATWG URL API, and fetchers are a documented root cause of SSRF and open redirects.

Jul 13, 20266 min read
Application Security

XPath injection: how it happens and how to stop it in Java, .NET, and PHP

A 2024 GeoServer flaw showed unsanitized input reaching an XPath evaluator can mean remote code execution, not just data leakage. Here's how to prevent it.

Jul 13, 20266 min read
Best Practices

Writing your first Jest unit tests for security-critical JavaScript

Jest ships to ~41M weekly npm installs with assertions, mocking, and coverage built in — here's how to structure your first tests around security logic.

Jul 12, 20267 min read
Application Security

Robust URL Validation in Python: Stopping SSRF and Open Redirects

One misparsed IP string cost Capital One 106 million records. Here's how to validate URLs in Python without repeating that mistake.

Jul 11, 20266 min read
Application Security

LDAP injection: a technical primer and defense guide

LDAP injection is CWE-90, dates to the same root cause as SQL injection, and still shipped in production software as recently as CVE-2023-0476.

Jul 8, 20266 min read
Application Security

A practical REST API hardening checklist

OWASP's 2023 API Security Top 10 still ranks broken object-level authorization as the #1 risk — here's a concrete checklist for authn, rate limiting, and input validation.

Jul 8, 20266 min read
Application Security

Secure URL Encoding and Decoding in Java

Java's URLEncoder turns spaces into + instead of %20 — a form-encoding quirk that, mixed with double-decoding, still causes path-traversal bugs like CVE-2025-41242 in 2025.

Jul 8, 20266 min read
Application Security

Robust input validation in Spring Boot: Bean Validation and its bypasses

Bean Validation (JSR-380) looks like a solved problem in Spring Boot, but nested DTOs, list elements, and unannotated service methods routinely skip validation silently.

Jul 8, 20266 min read
input-validation — Safeguard Blog