[Connector] Sanitize user input in offline match manifest generation

[Flegma]

Summary

User-provided data used in manifest generation needs proper sanitization to prevent unintended content in generated files.

Tasks

• Sanitize all user-provided values before template substitution
• Use a proper templating library with auto-escaping
• Add input validation on the MatchData DTO

Impact

Could allow unintended content in generated manifests.

Details

Full details in internal audit document. Finding IDs: CRIT-CONN-01

---

Related Issues (Input Validation Pattern)

• [API] Harden match events gateway authentication and message validation #371 — [API] Harden match events gateway validation
• [Connector] Sanitize user input in offline match manifest generation #404 — [Connector] Sanitize offline match manifest input
• [Connector] Add command validation and whitelist to RCON gateway #405 — [Connector] Add RCON command whitelist
• [Connector] Add authentication to WebRTC datachannel & validate match data DTOs #406 — [Connector] Validate WebRTC datachannel & match DTOs
• [Game Server] Async void anti-pattern & missing command input validation #402 — [Game Server] Missing command input validation