handling externally sanitized HTML using Zod

[skybrian]

One thing type-checking is used for is to avoid security holes due to untrusted input. For example, there might be a SafeHtml type which is only used for HTML that's been sanitized or comes from a trusted caller.

I'm attempting to model something like that using Zod and it seems messy, because I'm not actually sanitizing the HTML using Zod. Instead, the idea is to convert all Markdown to HTML on the server. Nothing should have the 'Html' type except if it's generated by the Markdown parser.

But when the client gets a JSON reply from the server, I do want to parse it using Zod. So how do I do that without making it really easy to accidentally skip HTML validation? Somehow I want to express the idea that Zod should only be used to parse trusted input.

Here's what I have that I'm not satisfied with, because it seems error-prone:

export const Markdown = z.string().trim().max(1000).transform((x) =>
  x as Flavored<string, "Markdown">
);
export type Markdown = z.infer<typeof Markdown>;

// Zod doesn't validate HTML. But the client uses Zod to validate JSON responses
// from the server, implicitly trusting the server to send safe HTML.
// (This means that Zod types that contain an Html field should only be used
// on trusted input.)

export const Html = z.string().transform((x) => x as Branded<string, "Html">);
export type Html = z.infer<typeof Html>;

export const RenderedMarkdown = z.object({
  markdown: Markdown,
  html: Html,
});
export type RenderedMarkdown = z.infer<typeof RenderedMarkdown>;