fix(security): add csrf filter and prevent xss attacks by escaping user input