CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl-labs/input-sanitization

Sanitize and validate user input at system boundaries — prevent XSS, SQL

94

1.20x
Quality

89%

Does it follow best practices?

Impact

100%

1.20x

Average score across 6 eval scenarios

SecuritybySnyk

Passed

No known issues

Overview
Quality
Evals
Security
Files

Evaluation results

100%

3%

Product Catalog Search API

ORM safety and parameterized queries

Criteria
Without context
With context

No string interpolation in SQL

100%

100%

No $queryRawUnsafe

100%

100%

No $queryRaw for ORM-expressible queries

100%

100%

ORM contains/like for text search

100%

100%

ORM where clause for filtering

100%

100%

Parameterized raw queries

100%

100%

Numeric ID parsed and validated

70%

100%

No raw flag / text() for ORM-expressible

100%

100%

100%

41%

Restaurant Order Management API

Input validation order and Content-Type enforcement

Criteria
Without context
With context

Content-Type checked first

0%

100%

415 status on wrong Content-Type

0%

100%

Strings trimmed

87%

100%

Required fields validated

100%

100%

Length limits enforced

0%

100%

Numeric field parsed

20%

100%

NaN and range rejected

70%

100%

Enum validated against allowed list

100%

100%

Validated data passed to service

87%

100%

Service layer business rule

100%

100%

Mass assignment prevented

100%

100%

100%

10%

Community Feedback Board

XSS prevention and HTML escaping

Criteria
Without context
With context

Backend returns JSON

100%

100%

No innerHTML with user data

100%

100%

textContent or DOM API used

100%

100%

No dangerouslySetInnerHTML

100%

100%

escapeHtml covers ampersand

100%

100%

escapeHtml covers angle brackets

100%

100%

escapeHtml covers double quote

100%

100%

escapeHtml covers single quote

100%

100%

Content-Type on POST endpoints

0%

100%

No server-side HTML interpolation

100%

100%

100%

29%

User Profile and External Link Preview Service

SSRF prevention and mass assignment prevention

Criteria
Without context
With context

URL parsed before use

100%

100%

HTTPS-only enforced

0%

100%

Hostname allowlist checked

100%

100%

Invalid URL returns 400

100%

100%

Disallowed host returns 400

100%

100%

No req.body spread to DB

100%

100%

Explicit field destructuring

83%

100%

Content-Type checked

0%

100%

String fields trimmed

0%

100%

Required fields validated

83%

100%

100%

Image Thumbnail Generator Service

Criteria
Without context
With context

Base directory resolved

100%

100%

Joined path resolved

100%

100%

startsWith containment check

100%

100%

400 on path traversal attempt

100%

100%

No exec() with user input

100%

100%

execFile or spawn used

100%

100%

User input as argument, not shell string

100%

100%

Numeric dimensions validated

100%

100%

Evaluated
Agent
Claude Code
Model
Claude Sonnet 4.6

Table of Contents

Product Catalog Search APIRestaurant Order Management APICommunity Feedback BoardUser Profile and External Link Preview ServiceImage Thumbnail Generator Service