Implement comprehensive input validation and HTML sanitization

[Copilot]

Description

API endpoints lacked systematic input validation and sanitization, creating attack vectors for injection exploits. Implemented validation attribute framework and HTML sanitization service to enforce data integrity at DTO level.

// DTOs now enforce validation automatically
public class RegisterDto
{
    [Required, EmailAddress]
    public string Email { get; set; }
    
    [Required, StringLength(50), SafeString]
    public string FirstName { get; set; }
    
    [ValidRole]  // Validates against centralized role constants
    public string Role { get; set; }
    
    [Instrument]  // Validates against 40+ allowed instruments
    public string? Instrument { get; set; }
    
    [GraduationYear]  // Current year to +4 years
    public int? GraduationYear { get; set; }
}

// HTML content is automatically sanitized
var sanitizer = new HtmlSanitizerService();
var clean = sanitizer.Sanitize("<script>alert('xss')</script>Safe text");
// Returns: "Safe text" (script tags removed)

Type of Change

• 🐛 Bug fix (non-breaking change which fixes an issue)
• ✨ New feature (non-breaking change which adds functionality)
• 💥 Breaking change (fix or feature that would cause existing functionality to not work as expected)
• 🔧 Refactoring (code changes that neither fix a bug nor add a feature)
• 📝 Documentation update
• 🎨 UI/UX improvement
• ⚡ Performance improvement
• 🔒 Security fix
• ✅ Test addition or update
• 🚀 CI/CD or build configuration change

Related Issues

N/A

Changes Made

Custom Validation Attributes (Podium.Application/Validation/)

• SafeStringAttribute - Detects XSS patterns: HTML tags, javascript:/vbscript:/data: URIs, event handlers (on*=)
• EmailDomainAttribute - Validates email structure (single @ with content before/after) and optional domain restrictions (.edu)
• PhoneNumberAttribute - US phone formats (10 digits exactly), optional +1 prefix
• GPAAttribute - 0.0-4.0 range validation (decimal/double/float)
• GraduationYearAttribute - Current year to current year + 4
• InstrumentAttribute - 40+ band instruments (woodwinds, brass, percussion)
• ValidRoleAttribute - Uses centralized Roles constants, case-insensitive

HTML Sanitization

• Added HtmlSanitizer NuGet (v9.0.892, no known vulnerabilities)
• IHtmlSanitizerService interface in Core
• HtmlSanitizerService implementation: allows only <b>, <i>, <em>, <strong>, <p>, <br> tags, strips all attributes/event handlers/dangerous schemes

DTO Updates

• RegisterDto - Email, password, names, phone, role (ValidRole), instrument, graduation year, high school
• LoginDto - Email and password validation with length constraints
• ChangePasswordDto - Password strength and confirmation matching
• UpdateStudentDto - GPA, graduation year, instrument, case-insensitive state codes
• CreateVideoRequest / UpdateVideoRequest - Title, description, instrument, metadata validation

Testing

• 92 validation attribute tests (valid/invalid inputs, edge cases, error messages)
• 15 HtmlSanitizerService tests (XSS prevention, event handler removal, tag allowlist)

Testing Checklist

• I have added tests that prove my fix is effective or that my feature works
• I have updated existing tests to reflect the changes
• New and existing unit tests pass locally with my changes
• I have tested this manually in a development environment
• I have tested edge cases and error scenarios

Documentation Checklist

• I have updated the relevant documentation (README, API docs, etc.)
• I have added inline code comments for complex logic
• I have updated the CHANGELOG (if applicable)
• I have added or updated JSDoc/XML comments for public APIs

Code Quality Checklist

• My code follows the project's style guidelines
• I have performed a self-review of my own code
• I have removed any console.log or debugging statements
• I have removed any commented-out code
• I have checked for potential security vulnerabilities
• My changes generate no new warnings or errors

Breaking Changes

• This PR introduces breaking changes
• Breaking changes are documented
• Migration guide is provided (if needed)

Breaking Changes Description:

None. Validation is additive and enforced at DTO level via DataAnnotations.

Screenshots / Videos

N/A - Backend validation changes only

Deployment Notes

• Database migrations are included and tested
• Environment variables need to be added/updated (document in description)
• Configuration changes are required
• This change requires a coordinated deployment with other services
• Cache needs to be cleared after deployment
• Third-party services or APIs need to be configured

Deployment Instructions:

Standard deployment. No additional configuration required. HtmlSanitizer package restores automatically during build.

Performance Impact

• This change impacts performance (positively or negatively)
• Performance testing has been conducted
• No significant performance impact expected

Performance Notes:

Validation executes during model binding (existing framework mechanism). Regex patterns are pre-compiled. HtmlSanitizer uses efficient DOM parsing. Negligible overhead per request.

Security Considerations

• This change has security implications
• Security review has been requested
• No security concerns identified

Security Notes:

Mitigates:

• XSS attacks via HTML injection in user-generated content
• Script injection via event handlers and dangerous URI schemes
• Invalid data bypassing business logic constraints

Dependencies:

• HtmlSanitizer v9.0.892 (Ganss.Xss) - verified no known CVEs

Rollback Plan

How to rollback:

Revert commit. Validation attributes are declarative; removing them restores previous behavior. No data migrations or schema changes.

Additional Context

Validation follows fail-fast principle: invalid requests rejected at controller level before business logic executes. Error messages are user-friendly and specify validation failures.

SafeStringAttribute uses comprehensive regex but is defense-in-depth, not silver bullet. User-generated HTML content should still use HtmlSanitizerService for rendering.

---

Reviewer Notes

Review Checklist (for reviewers)

• Code follows project conventions and best practices
• Tests are comprehensive and pass
• Documentation is clear and complete
• No security vulnerabilities introduced
• Performance implications are acceptable
• Breaking changes are justified and documented
• PR is ready to merge

---

Note to Reviewers: Please ensure all CI checks pass before approving.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• http://api.nuget.org:443/DigiCertCSRSA4096RootG5.crl
  • Triggering command: /usr/bin/dotnet dotnet build --configuration Release (http block)
• http://api.nuget.org:443/DigiCertHighAssuranceEVRootCA.crl
  • Triggering command: /usr/bin/dotnet dotnet build --configuration Release (http block)
• http://api.nuget.org:443/NETFoundationProjectsCodeSigningCA.crl
  • Triggering command: /usr/bin/dotnet dotnet build --configuration Release (http block)
• http://api.nuget.org:443/NETFoundationProjectsCodeSigningCA2.crl
  • Triggering command: /usr/bin/dotnet dotnet build --configuration Release (http block)
• http://api.nuget.org:443/sha2-assured-cs-g1.crl
  • Triggering command: /usr/bin/dotnet dotnet build --configuration Release (http block)
• http://api.nuget.org:443/sha2-assured-ts.crl
  • Triggering command: /usr/bin/dotnet dotnet build --configuration Release (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.