Replace the stub filter_content() that always returned true with a real
implementation using compiled regex patterns:
- XSS vectors: <script>, javascript:, onXxx=, <iframe>, <object>, <embed>
- SQL injection: UNION SELECT, DROP TABLE, OR 1=1, ' OR '
- Command injection: eval(), exec()
Patterns compiled once at startup via once_cell::sync::Lazy with safe
.ok() filter (no .unwrap()). Returns false (reject) on pattern match.
Also enhances validate_content() to check dangerous patterns and return
a proper error.
Addresses audit findings D4, A04: ContentFilter stub always returned true.
Co-authored-by: Cursor <cursoragent@cursor.com>
f71df24b2d