Atlas Forms
Security-Focused Validation
Client-side validation is a UX feature, not a security boundary. Security must be enforced on the server. This page covers the built-in input sanitisation Atlas Forms applies automatically, how to add security-conscious validation rules, and OWASP alignment guidance.
What Atlas Forms Does Automatically
| Layer | What It Does | Where Applied |
|---|---|---|
| Type coercion | Coerces numeric fields to numbers, dates to ISO strings — prevents type confusion attacks | All input controls |
| Whitespace trimming | Trims leading/trailing whitespace from text values before validation | text, email, url |
| HTML sanitisation | DOMPurify sanitises HTML content in html and article display controls | Display controls only |
| maxLength enforcement | Enforces maxLength at the input level (HTML attribute) and in validation | text, textarea, password |
| Number bounds | Enforces min/max on number inputs — rejects out-of-range values | number control |
| File type/size check | Validates MIME type and file size before upload | file-upload control |
What You Must Do on the Server
Client-side validation is trivially bypassable. Every submitted value must be re-validated server-side before use:
- Re-validate all required fields, length limits, and pattern constraints.
- Parameterise all database queries (never concatenate form values into SQL).
- Sanitise any user-provided content that will be rendered as HTML.
- Enforce file type and size limits on the server — clients can lie about MIME types.
- Verify business rules (e.g., budget limits, date ranges) — clients can manipulate DOM values.
OWASP Input Validation Alignment
| OWASP Threat | Client-Side Mitigation | Server-Side Requirement |
|---|---|---|
| SQL Injection | Pattern validation blocks common SQL characters; advisory only | Parameterised queries (mandatory) |
| XSS via form input | DOMPurify on display controls; inputs stored as data not rendered HTML | HTML-encode on output; Content-Security-Policy header |
| Path Traversal | Pattern rule blocks ../ sequences in filenames | Server normalises and validates all file paths |
| Mass Assignment | Form schema defines exactly which fields are submitted | Allowlist permitted fields in the API layer |
| Oversized Input (DoS) | maxLength and maxFileSizeMb limits | Server enforces identical limits |
| Integer Overflow | min/max validation on number fields | Server validates numeric ranges before use |
Security-Aware Pattern Examples
// Block common SQL injection patterns
{
"id": "search-term",
"type": "text",
"label": "Search",
"validation": {
"maxLength": 200,
"pattern": "^[^;'\"\\\\<>]*$",
"patternMessage": "Search term contains disallowed characters"
}
}
// File name — no path traversal
{
"id": "filename",
"type": "text",
"label": "File Name",
"validation": {
"required": true,
"maxLength": 255,
"pattern": "^[A-Za-z0-9_\\-\\.]+$",
"patternMessage": "Only letters, numbers, underscores, hyphens and dots allowed in file names"
}
}
// Strict numeric ID — no injection possible
{
"id": "record-id",
"type": "number",
"label": "Record ID",
"settings": { "precision": 0 },
"validation": {
"required": true,
"min": 1,
"max": 2147483647
}
}Registering Security Validators
import { registerValidator } from '@atlas-forms/validation-js';
// Reject values that contain HTML tags
registerValidator('noHtmlContent', (value) => {
const hasHtml = /<[^>]+>/.test(String(value ?? ''));
return {
valid: !hasHtml,
message: 'HTML markup is not allowed in this field'
};
});
// Reject common SQL injection patterns
registerValidator('noSqlInjection', (value) => {
const sqlPattern = /('|--|;|\/\*|\*\/|xp_|EXEC|DROP|INSERT|UPDATE|DELETE|SELECT\s+\*)/i;
const hasSql = sqlPattern.test(String(value ?? ''));
return {
valid: !hasSql,
message: 'Input contains disallowed characters or keywords'
};
});
Never Rely on Client-Side Validation for Security
Any user with browser DevTools can bypass all client-side validation. Security-critical rules (ownership checks, rate limits, authorisation) must always be enforced on the server. Use client-side validation to improve user experience, not to enforce security boundaries.