safeinput

package module

v0.1.0 Latest Latest Go to latest Published: Jan 6, 2026 License: MIT Imports: 5 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/ravisastryk/go-safeinput

Links

Open Source Insights

README ¶

go-safeinput

Universal input sanitization for Go applications - MITRE CWE Top 25 coverage.

Badge	Status
CI
Go Report
Coverage
Docs
License	MIT

Features

CWE-79: Cross-site Scripting (XSS) prevention
CWE-89: SQL Injection prevention
CWE-22: Path Traversal prevention
CWE-78: OS Command Injection prevention
Zero external dependencies - uses only Go standard library
Greater than 90% test coverage
Docker support with multi-stage builds
Security scanning with gosec, govulncheck, CodeQL

Requirements

Go 1.24 or higher
Docker (optional)

Installation

go get github.com/ravisastryk/go-safeinput

Quick Start

package main

import (
    "fmt"
    "github.com/ravisastryk/go-safeinput"
)

func main() {
    s := safeinput.Default()
    
    // XSS Prevention
    safe, _ := s.Sanitize("<script>alert('xss')</script>Hi", safeinput.HTMLBody)
    fmt.Println(safe) // Output: Hi
    
    // Path Traversal Prevention
    _, err := s.Sanitize("../../etc/passwd", safeinput.FilePath)
    fmt.Println(err) // Output: path traversal detected
    
    // SQL Injection Prevention
    _, err = s.Sanitize("users; DROP TABLE--", safeinput.SQLIdentifier)
    fmt.Println(err) // Output: invalid SQL identifier
}

Development

# Run tests
make test

# Run linter
make lint

# Run security checks
make security

# Build Docker image
make docker

License

MIT License - see LICENSE for details.

Author: Ravi Sastry Kadali (https://github.com/ravisastryk)

Documentation ¶

Overview ¶

Package safeinput provides context-aware input sanitization for Go applications. It addresses MITRE CWE Top 25 injection vulnerabilities including:

CWE-79: Cross-site Scripting (XSS)
CWE-89: SQL Injection
CWE-22: Path Traversal
CWE-78: OS Command Injection

Index ¶

Variables
func SanitizeShellArg(input string) string
func StripNullBytes(s string) string
type Config
type Context
- func (c Context) String() string
type Sanitizer
- func Default() *Sanitizer
- func New(cfg Config) *Sanitizer

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	// ErrInputTooLong is returned when input exceeds maximum length.
	ErrInputTooLong   = errors.New("input exceeds maximum length")
	ErrUnknownContext = errors.New("unknown sanitization context")
	ErrNullByte       = errors.New("null byte detected in input")
)

Functions ¶

func SanitizeShellArg ¶

func SanitizeShellArg(input string) string

SanitizeShellArg sanitizes shell command arguments (CWE-78). Only allows alphanumeric characters, dash, underscore, period, and forward slash.

func StripNullBytes ¶

func StripNullBytes(s string) string

StripNullBytes removes null bytes from a string.

Types ¶

type Config ¶

type Config struct {
	MaxInputLength  int
	AllowedHTMLTags []string
	BasePath        string
	StrictMode      bool
	StripNullBytes  bool
}

Config holds sanitizer configuration options.

type Context ¶

type Context int

Context defines the output context for sanitization.

const (
	// HTMLBody sanitizes for HTML body content (CWE-79).
	HTMLBody Context = iota
	// HTMLAttribute sanitizes for HTML attribute values (CWE-79).
	HTMLAttribute
	// SQLIdentifier sanitizes SQL identifiers (CWE-89).
	SQLIdentifier
	// SQLValue validates values before queries (CWE-89).
	SQLValue
	// FilePath sanitizes filesystem paths (CWE-22).
	FilePath
	// URLPath sanitizes URL path components.
	URLPath
	// URLQuery sanitizes URL query parameters.
	URLQuery
	// ShellArg sanitizes shell command arguments (CWE-78).
	ShellArg
)

func (Context) String ¶

func (c Context) String() string

String returns a human-readable name for the context.

type Sanitizer ¶

type Sanitizer struct {
	// contains filtered or unexported fields
}

Sanitizer provides the main sanitization interface.

func Default ¶

func Default() *Sanitizer

Default returns a Sanitizer with secure default settings.

func New ¶

func New(cfg Config) *Sanitizer

New creates a new Sanitizer with the given configuration.

func (*Sanitizer) GetConfig ¶

func (s *Sanitizer) GetConfig() Config

GetConfig returns a copy of the configuration.

func (*Sanitizer) IsValid ¶

func (s *Sanitizer) IsValid(input string, ctx Context) bool

IsValid checks if input is valid for the given context.

func (*Sanitizer) MustSanitize ¶

func (s *Sanitizer) MustSanitize(input string, ctx Context) string

MustSanitize panics on error.

func (*Sanitizer) Sanitize ¶

func (s *Sanitizer) Sanitize(input string, ctx Context) (string, error)

Sanitize processes input for the specified context.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
cmd
safeinput command Command safeinput provides a CLI for input sanitization.	Command safeinput provides a CLI for input sanitization.
html Package html provides XSS prevention (CWE-79) using pure Go.	Package html provides XSS prevention (CWE-79) using pure Go.
path Package path provides path traversal prevention (CWE-22).	Package path provides path traversal prevention (CWE-22).
sql Package sql provides SQL injection prevention (CWE-89).	Package sql provides SQL injection prevention (CWE-89).

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL