We persist most of the user posted information as is. While there shouldn't be any SQL (mongodb with very simple queries) injection problems (please prove me wrong!) some data just doesn't make sense in the scope of in-toto.

Therefor we should sanitize/validate user inputs, and give feedback, so that the user can correct the posted data, some examples.:

• step and inspection names need to be unique in the supply chain
• several suggested cli snippets are generated based on user input, these should actually work, e.g.
  in-toto-run commands or inspection commands, ...
• replace asserts

We should take a look at Flask-WTF for this task