Why this matters
Prevents XSS/SSR injection and enforces stable API contracts.
Validate and sanitize all request bodies and search params on the server using a schema (e.g., zod). Reject invalid payloads with proper status.
Prevents XSS/SSR injection and enforces stable API contracts.
Side-by-side examples engineers can pattern-match during review.
export async function POST(req){ const body = await req.json(); return NextResponse.json({ ok:true, body }) }import { z } from 'zod'
const SCHEMA = z.object({ title:z.string().min(1) })
export async function POST(req){ const json = await req.json(); const parsed = SCHEMA.safeParse(json); if(!parsed.success) return NextResponse.json({ error:'Invalid' },{ status:400 }); /* ... */ return NextResponse.json({ ok:true }) }Returning input without validationsafeParse + 400 on schema errorFrom the same buckets as this rule.