backup

CONTRIBUTING.md

@@ -112,6 +112,32 @@ The CI pipeline enforces the same 80% minimum coverage threshold.
 
 ---
 
+## Security Rules
+
+### Never echo raw user input in error messages
+
+User-supplied values (jail names, filter names, action names, IPs, filenames, etc.)
+MUST be sanitized before interpolation into any string that may be rendered in an
+HTML context (error messages, admin UI, email notifications).
+
+Use the `sanitize_for_display()` helper from `app.utils.display_sanitizer`:
+
+```python
+from app.utils.display_sanitizer import sanitize_for_display
+
+# Good: sanitized before display
+super().__init__(f"Jail not found: {sanitize_for_display(name)!r}")
+
+# Bad: raw user input echoed — XSS vector if rendered as HTML
+super().__init__(f"Jail not found: {name!r}")
+```
+
+This rule applies even when the value has been validated: validation checks the
+format, not the rendering context. JSON API responses do NOT need sanitization
+(JSON is not HTML); apply it only at HTML render boundaries.
+
+---
+
 ## Stack
 
 | Layer | Stack |