Validation And Sink Defaults
Pack:
securityParent skill: Security Input Validation And Dangerous Sinks Source:security/security-input-validation-and-dangerous-sinks/references/validation-and-sink-defaults.md
Match the protection to the sink
Section titled “Match the protection to the sink”- SQL -> parameterized queries
- HTML -> output-context escaping or sanitization
- shell -> no interpolation, structured args only
- filesystem -> fixed roots and allowlisted names
- redirect or URL fetch -> allowlists and scheme checks
Default rule
Section titled “Default rule”If you cannot name the dangerous sink, you are probably validating too vaguely.