/**
 * Escapes HTML entities to prevent XSS.
 * Used when inserting any dynamic text into the DOM.
 */
export declare function escapeHtml(str: string): string;
/**
 * Sanitizes user input for DOM display.
 * Trims, removes null bytes, and escapes HTML.
 */
export declare function sanitizeForDom(input: string): string;
/**
 * Sanitizes user input for API payload.
 * Trims and strips null bytes, but does NOT escape HTML
 * (server-side should handle its own escaping).
 */
export declare function sanitizeForPayload(input: string): string;
/**
 * RFC 5322 simplified email validation.
 * Rejects emails > 254 chars and common injection patterns.
 */
export declare function isValidEmail(email: string): boolean;
/**
 * Checks that a string is non-empty after trimming.
 */
export declare function isNonEmpty(value: unknown): boolean;
/**
 * Checks that a string is within max length.
 */
export declare function isWithinLength(value: string, max: number): boolean;
/**
 * Validates a CSS color value (basic check — hex, rgb, hsl, named colors).
 * Used to prevent injection via theme config.
 */
export declare function isSafeCssValue(value: string): boolean;
/**
 * Sanitizes a theme object to prevent CSS injection.
 */
export declare function sanitizeThemeValue(value: string): string;