Skip to content

S28 2903 Input Data Validation for possibly malicious content#1385

Open
RuthKirby wants to merge 30 commits intomasterfrom
S28-2903-data-validation
Open

S28 2903 Input Data Validation for possibly malicious content#1385
RuthKirby wants to merge 30 commits intomasterfrom
S28-2903-data-validation

Conversation

@RuthKirby
Copy link
Copy Markdown
Contributor

@RuthKirby RuthKirby commented Mar 24, 2026
edited
Loading

JIRA ticket(s)

https://tools.hmcts.net/jira/browse/S28-2903
https://tools.hmcts.net/jira/browse/S28-2942

Change description

  • Adds custom Sanitizer validation annotation for Strings

QA instructions

  • Try to create and update (PUT/POST) the below with unsafe data in their string fields (e.g. <script>alert("malicious!")</script>, , <a href="https://example.com">I am bad link</a>. You should receive back a 400 status code with a response message related to "Potentially malicious content":
    • Capture Session
    • Court
    • Edit Request
    • Invite
    • User
    • VFMigration
    • Audit
    • Participant
    • (any others you can think of)
  • Regression testing that retrieving data via GET is unchanged
    Note: The one exception is the Audit Details, strings within its JSON will fail the test. Validation annotation for that field will be completed in https://tools.hmcts.net/jira/browse/S28-4842

RuthKirby and others added 20 commits March 18, 2026 15:37
@RuthKirby
adds sanitizer
2e1efc0
@RuthKirby
wip
9e1fef9
@a-sealey-justice-gov
Draft sanitizer via annotation
7af38de
@a-sealey-justice-gov
Merge remote-tracking branch 'origin/S28-2903-data-validation' into S…
304a077 
…28-2903-data-validation

# Conflicts:
#	src/main/java/uk/gov/hmcts/reform/preapi/utils/InputSanitizer.java
@RuthKirby
sanitization annotation
0e8d171
@RuthKirby
Merge remote-tracking branch 'origin/S28-2903-data-validation' into S…
215e888 
…28-2903-data-validation
@RuthKirby
delete filter
9d744dd
@RuthKirby
checkstyle fixes
c25fa62
@RuthKirby
wip CreateAuditDTO
075045a
@RuthKirby
adds validation to more DTO fields and controller param
1c3e364
@RuthKirby
adds sanitized annotation
23b379e
@RuthKirby
cleanup
001978c
@RuthKirby
add tests
73c700c
@RuthKirby
add tests
6a4a0eb
@RuthKirby
adds/removes sanitized annotation
72f79f1
@RuthKirby
wip functional tests
a5ed242
@RuthKirby
csv for validation test
b12d14a
@a-sealey-justice-gov
JSON validator
33644b5
@a-sealey-justice-gov
JSON validator tests
a3e5640
@RuthKirby
tests and cleanup
f63ac48
@RuthKirby RuthKirby requested a review from a team as a code owner March 24, 2026 16:11
@RuthKirby RuthKirby changed the title S28 2903 data validation S28 2903 Input Data Validation Mar 24, 2026
oliver-scott
oliver-scott approved these changes Mar 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@oliver-scott oliver-scott left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work both!

@RuthKirby RuthKirby changed the title S28 2903 Input Data Validation S28 2903 Input Data Validation for possibly malicious content Mar 27, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@oliver-scott oliver-scott oliver-scott approved these changes

@lydiaralphgov lydiaralphgov lydiaralphgov approved these changes

Assignees

No one assigned

Labels

enable_keep_helm ns:pre prd:pre rel:pre-api-pr-1385

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@RuthKirby @oliver-scott @lydiaralphgov @a-sealey-justice-gov