Input Validation Agent Skill
Server-side input validation — Zod schemas, HTML sanitization, strict API boundaries.
The Skill
Full content, every format. Copy it, download it, or install with one command.
---
description: Server-side input validation — Zod schemas, HTML sanitization, strict API boundaries.
homepage: https://yepapi.com/skills/input-validation
metadata:
tags: [security, validation, zod, sanitization]
---
# Input Validation
## Rules
- Validate ALL user input server-side with Zod schemas at API boundaries — never trust client data
- Define strict schemas that reject unexpected fields: use \`.strict()\` on Zod objects
- Sanitize HTML input with DOMPurify before storing or rendering user-generated content
- Validate early, fail fast: return 400 with field-specific errors, never process invalid data
- Coerce types explicitly: use \`z.coerce.number()\` instead of trusting \`typeof\`
- Validate path params, query strings, headers, and body — not just body
\`\`\`ts
// Next.js API route / Route Handler
import { z } from "zod";
const CreateUserSchema = z.object({
email: z.string().email().max(255),
name: z.string().min(1).max(100).trim(),
age: z.coerce.number().int().min(13).max(120),
}).strict();
export async function POST(req: Request) {
const result = CreateUserSchema.safeParse(await req.json());
if (!result.success) {
return Response.json({ error: result.error.flatten() }, { status: 400 });
}
const { email, name, age } = result.data;
// safe to use
}
\`\`\`
\`\`\`ts
// Sanitize user HTML before storage
import DOMPurify from "isomorphic-dompurify";
const cleanHtml = DOMPurify.sanitize(userInput, { ALLOWED_TAGS: ["b", "i", "a", "p"] });
\`\`\`
## Avoid
- Validating only on the client — attackers bypass your frontend entirely
- Using \`any\` or \`unknown\` without validation — type assertions are not security
- String-concatenating user input into HTML, SQL, or shell commands
- Trusting \`Content-Type\` headers without verifying the actual payload
- Allowing unbounded string lengths — always set \`.max()\` on strings and arraysInstall
Why Use the Input Validation Skill?
Without this skill, your AI guesses at input validation patterns. It might hallucinate deprecated APIs, use outdated conventions, or miss best practices entirely. With it, your AI follows a proven ruleset — every suggestion aligns with current standards.
Drop this skill into your project and your AI instantly knows the rules. Better code suggestions, fewer errors, faster shipping.
Try These Prompts
These prompts work better with the Input Validation skill installed. Your AI knows the context and writes code that fits.
"Add Zod schema validation to all my API routes with proper error responses"
"Create a reusable input sanitization layer that strips HTML from user input"
"Build a middleware that validates request body, query params, and path params with Zod"
Input Validation skill — FAQ
It provides rules for server-side validation with Zod schemas, HTML sanitization with DOMPurify, and strict API boundary enforcement. Your AI writes secure validation code from the start instead of trusting client data.
Run `npx skills add YepAPI/skills --skill input-validation` in your project root. This copies the skill file into your repo where your AI coding tool can read it automatically.
Client-side validation is a UX convenience — attackers bypass your frontend entirely. Server-side validation with Zod schemas ensures all data is validated at the API boundary regardless of how the request arrives.