Facebook Pixel

Validation and Sanitization Interview Questions and Answers

Common interview questions on validation and sanitization, with concise answers.

Validation and Sanitization Interview Questions and Answers

Interviewers ask these validation and sanitization questions often. Here are concise answers.

Q1: What is the difference between validation and sanitization?

Validation rejects bad input (is this valid?). Sanitization cleans input (is this safe?). Use both. Validate the shape, then sanitize the values.

Q2: How do you prevent NoSQL injection?

Use express-mongo-sanitize (strips $ and .), validate with Zod (enforces types), use Mongoose (casts based on schema), cast inputs explicitly with String(), avoid $where, and whitelist filter fields. Layer defenses.

Q3: How do you prevent XSS?

Escape output (React does this by default), strip HTML from input with xss-clean or dompurify, set a Content Security Policy with helmet, use httpOnly cookies, and sanitize rich text on render.

Q4: How do you validate input in Express?

Use Zod or express-validator. Write a validate(schema) middleware factory that uses safeParse, returns 400 with errors if invalid, replaces req.body with parsed data, and calls next. Validate body, params, and query separately.

Q5: Where should validation live in Express?

In a middleware, applied per route. Not in controllers (duplication) and not in models (mixing concerns). The middleware runs before the handler so the handler only sees valid input.

Q6: Why validate on the server if you validate on the client?

Client-side validation is for UX, not security. A user can bypass it with curl or a custom client. Always validate on the server, no matter what the client does.

Q7: What is HTTP Parameter Pollution?

When a client sends duplicate query params (?user=a&user=b), the parser picks one or builds an array. HPP (HTTP Parameter Pollution) attacks exploit this. Use hpp middleware to remove duplicates.

Q8: How do you handle Mongoose ValidationErrors?

Catch them in the error handler. err.name === 'ValidationError' has an errors object keyed by field. Return 400 with the field list. Let other errors fall through to the generic error handler.

Q9: What is prototype pollution?

When an attacker sends { proto: { isAdmin: true } } and pollutes Object.prototype. Now every object appears to have isAdmin: true. Prevent by sanitizing input and using Object.create(null) where appropriate.

Q10: How do you cap request body size?

Set express.json({ limit: '10kb' }). Prevents oversized payload attacks. Without a limit, a malicious client can send huge bodies, eating memory and slowing the server.

The Takeaway

Validation vs sanitization, NoSQL injection prevention (express-mongo-sanitize + Zod), XSS prevention (escape + xss-clean + CSP + httpOnly), validation in middleware (Zod), server-side validation is mandatory, HPP, Mongoose ValidationError handling, prototype pollution, and body size limits.

Validation rejects bad input (is this valid?). Sanitization cleans input (is this safe?). Use both. Validate the shape with Zod, then sanitize the values with transforms and middlewares.

Use express-mongo-sanitize (strips $ and .), validate with Zod (enforces types), use Mongoose (casts based on schema), cast inputs explicitly with String(), avoid $where, and whitelist filter fields. Layer defenses.

Escape output (React does this by default), strip HTML from input with xss-clean or dompurify, set a Content Security Policy with helmet, use httpOnly cookies, and sanitize rich text on render.

In a middleware, applied per route. Not in controllers (duplication) and not in models (mixing concerns). The middleware runs before the handler so the handler only sees valid input.

Client-side validation is for UX, not security. A user can bypass it with curl, Postman, or a custom client. Always validate on the server, no matter what the client does.

Ready to master Node.js completely?

Want to upskill yourself, crack your next interview, and get your dream job? Join our comprehensive course to dive deeper with high-quality video tutorials, solve interview questions, and a premium community.

Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.