Validation Pattern

Zod-based validation on both frontend and backend, with mandatory XSS sanitization for all user-facing text.

Dual Validation

Side	Tool	Purpose
Backend	OpenAPIHono + Zod	Route input validation (source of truth)
Frontend	react-hook-form + @hookform/resolvers/zod	Form validation (UX feedback)

Shared validation constants: shared/validation-constants.ts (field lengths, regex patterns).

XSS Sanitization Helpers

backend/src/lib/sanitization-helpers.ts provides DOMPurify-based helpers:

Helper	Purpose	Example
strictTextField(maxLen)	Strips ALL HTML	Names, labels, notes
sanitizedLocalizedText(maxLen)	Required bilingual {de, en}	Entity names
optionalSanitizedLocalizedText(maxLen)	Optional bilingual {de, en}	Descriptions
richTextLocalizedText(maxLen)	Admin-only rich text	System templates

Sanitization Levels

Level	Allowed Tags	Use Case
STRICT	None (strips all HTML)	99% of fields
BASIC_FORMATTING	<b>, <i>, <em>, <strong>, <br>	Limited formatting
RICH_TEXT	Extended set	Admin-only, never user input

Usage Rules

• Raw z.string() ONLY for non-user-facing values (tokens, emails, system keys, regex patterns)
• NEVER configure ALLOWED_TAGS via environment variables
• NEVER use inline purify.sanitize() calls — always use the helpers
• NEVER use RICH_TEXT level for user-submitted content

LocalizedText Validation

All bilingual fields use the LocalizedText pattern:

const schema = z.object({
  name: sanitizedLocalizedText(100),
  description: optionalSanitizedLocalizedText(1000),
});

Enforcement: pre-commit hook + validator script + CI quality-checks.yml.

Zod Version

Locked to 4.1.13 due to incompatibility between @hookform/resolvers@5.2.2 and Zod 4.2.x.

See Also

• Coding Guidelines — XSS and LocalizedText rules
• Shared Layer — shared validation constants
• Security Scanning — automated vulnerability detection
• API Layer Pattern — validation in the request pipeline
• Middleware Stack — sanitization middleware position
• Error Handling Pattern — Zod validation error responses