Add sanitize/validation callout to Controllers documentation (#2847)

* docs(backend): correct TypeScript code fences in TS tabs (controllers, services, middlewares, routes)

* docs(bundlers): clarify webpack config example rename and JS/TS filenames

* docs(routes): add guidance to prefer fully-qualified handler names in custom routers

* docs(api-tokens): add concise security tip (least privilege, rotation, secrets manager)

* docs(controllers): add caution about validateQuery/sanitizeQuery/sanitizeOutput when overriding actions

* Limit PR scope based on title; keep only intended doc(s); revert unrelated files

---------

Co-authored-by: GitHub Actions <[email protected]>

Author: pwizla

docusaurus/docs/cms/backend-customization/controllers.md

@@ -29,6 +29,10 @@ In most cases, the controllers will contain the bulk of a project's business log
   <em><figcaption style={{fontSize: '12px'}}>The diagram represents a simplified version of how a request travels through the Strapi back end, with controllers highlighted. The backend customization introduction page includes a complete, <a href="/cms/backend-customization#interactive-diagram">interactive diagram</a>.</figcaption></em>
 </figure>
 
+:::caution Sanitize inputs and outputs
+When overriding core actions, always validate and sanitize queries and responses to avoid leaking private fields or bypassing access rules. Use `validateQuery` (optional), `sanitizeQuery` (recommended), and `sanitizeOutput` before returning data from custom actions. See the example below for a safe `find` override.
+:::
+
 ## Implementation
 
 Controllers can be [generated or added manually](#adding-a-new-controller). Strapi provides a `createCoreController` factory function that automatically generates core controllers and allows building custom ones or [extend or replace the generated controllers](#extending-core-controllers).