Hi team,
While going through the Input Validation Cheat Sheet, I noticed that it doesn’t currently include a section that highlights the common mistakes developers make when handling input. In practice, these mistakes are often the real reason validation fails, even when the basic rules are understood.
I think adding a short “Common Pitfalls” section would make the cheat sheet more practical and help readers avoid issues that show up frequently in real applications.
Some examples of pitfalls that could be included:
Relying only on client‑side validation
Using blacklists instead of whitelists
Not validating data after deserialization
Assuming internal APIs or microservices are “trusted”
Skipping validation for file uploads or filenames
Using overly permissive or unsafe regex patterns
Not validating nested JSON structures or array lengths
Ignoring Unicode normalization issues
Treating JSON input as automatically safe
Forgetting to validate input before logging or storing it
These are all things that developers run into regularly, and having them called out clearly would make the cheat sheet even more helpful.
If this sounds useful, I’d be happy to draft the section and open a PR.
Thanks!
Hi team,
While going through the Input Validation Cheat Sheet, I noticed that it doesn’t currently include a section that highlights the common mistakes developers make when handling input. In practice, these mistakes are often the real reason validation fails, even when the basic rules are understood.
I think adding a short “Common Pitfalls” section would make the cheat sheet more practical and help readers avoid issues that show up frequently in real applications.
Some examples of pitfalls that could be included:
Relying only on client‑side validation
Using blacklists instead of whitelists
Not validating data after deserialization
Assuming internal APIs or microservices are “trusted”
Skipping validation for file uploads or filenames
Using overly permissive or unsafe regex patterns
Not validating nested JSON structures or array lengths
Ignoring Unicode normalization issues
Treating JSON input as automatically safe
Forgetting to validate input before logging or storing it
These are all things that developers run into regularly, and having them called out clearly would make the cheat sheet even more helpful.
If this sounds useful, I’d be happy to draft the section and open a PR.
Thanks!