diff --git a/.gitleaksignore b/.gitleaksignore
index 80e43253ad5991b22f6cbec9a28826fd2db8bf59..48fd24b38b0e93aa4b0abefa5c6c7c493d990034 100644
--- a/.gitleaksignore
+++ b/.gitleaksignore
@@ -19,3 +19,5 @@ ee/spec/lib/security/secret_detection/partner_tokens/gcp_client_spec.rb:gcp-api-
 ee/spec/lib/security/secret_detection/partner_tokens/gcp_client_spec.rb:gcp-api-key:22
 ee/spec/lib/security/secret_detection/partner_tokens/postman_client_spec.rb:postman-api-token:153
 ee/spec/workers/security/secret_detection/partner_token_verification_worker_spec.rb:generic-api-key:56
+spec/models/user_detail_spec.rb:discord-client-id:654
+spec/models/user_detail_spec.rb:discord-client-id:683
\ No newline at end of file
diff --git a/app/models/user_detail.rb b/app/models/user_detail.rb
index 3e237dfb040b8484bc239d346c215bc6ac8fb614..dadb67646692b27208251443f329354f0655df51 100644
--- a/app/models/user_detail.rb
+++ b/app/models/user_detail.rb
@@ -2,6 +2,7 @@
 
 class UserDetail < ApplicationRecord
   extend ::Gitlab::Utils::Override
+  include Sanitizable
 
   belongs_to :user
   belongs_to :bot_namespace, class_name: 'Namespace', optional: true, inverse_of: :bot_user_details
@@ -71,7 +72,16 @@ class UserDetail < ApplicationRecord
   validates :onboarding_status, json_schema: { filename: 'user_detail_onboarding_status' }
   validates :github, length: { maximum: DEFAULT_FIELD_LENGTH }, allow_blank: true
 
-  before_validation :sanitize_attrs
+  # Use Sanitizable concern when feature flag is enabled
+  sanitizes! :bluesky, :discord, :linkedin, :mastodon, :orcid, :twitter, :website_url, :github,
+    if: -> { Feature.enabled?(:validate_sanitizable_user_details, user) }
+
+  # New sanitization for location/organization (when feature flag is enabled)
+  before_validation :sanitize_location_and_organization, if: -> { Feature.enabled?(:validate_sanitizable_user_details, user) }
+
+  # Legacy sanitization (when feature flag is disabled)
+  before_validation :sanitize_attrs, if: -> { Feature.disabled?(:validate_sanitizable_user_details, user) }
+
   before_save :prevent_nil_fields
 
   # Exclude the hashed email_otp attribute
@@ -96,6 +106,15 @@ def sanitize_attrs
     end
   end
 
+  def sanitize_location_and_organization
+    %i[location organization].each do |attr|
+      value = self[attr]
+      # Use Sanitize.fragment (modern) instead of deprecated Sanitize.clean
+      # Apply special &amp; to & replacement for these fields
+      self[attr] = Sanitize.fragment(value).gsub('&amp;', '&') if value.present?
+    end
+  end
+
   def prevent_nil_fields
     self.bluesky = '' if bluesky.nil?
     self.bio = '' if bio.nil?
diff --git a/config/feature_flags/gitlab_com_derisk/validate_sanitizable_user_details.yml b/config/feature_flags/gitlab_com_derisk/validate_sanitizable_user_details.yml
new file mode 100644
index 0000000000000000000000000000000000000000..a1d3ae0960c851e478cd665d110253d7c63c5e40
--- /dev/null
+++ b/config/feature_flags/gitlab_com_derisk/validate_sanitizable_user_details.yml
@@ -0,0 +1,8 @@
+---
+name: validate_sanitizable_user_details
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/208943
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/581152
+milestone: '18.8'
+type: gitlab_com_derisk
+group: group::authentication
+default_enabled: false
\ No newline at end of file
diff --git a/spec/models/user_detail_spec.rb b/spec/models/user_detail_spec.rb
index e73355a353b07c5529ee9c4990fa396656c7151b..ec7e320c47cded1de20d692601654db210a24ec0 100644
--- a/spec/models/user_detail_spec.rb
+++ b/spec/models/user_detail_spec.rb
@@ -539,62 +539,153 @@
     it_behaves_like 'prevents `nil` value', :website_url
   end
 
-  describe '#sanitize_attrs' do
+  describe 'sanitization' do
     using RSpec::Parameterized::TableSyntax
 
     subject { build(:user_detail, field => input).tap(&:validate) }
 
-    where(:field, :input, :expected) do
-      # HTML tags sanitization - all fields
-      :bluesky      | '<a href="//evil.com">did:plc:ewvi7nxzyoun6zhxrhs64oiz<a>'   | 'did:plc:ewvi7nxzyoun6zhxrhs64oiz'
-      :discord      | '<a href="//evil.com">1234567890987654321<a>'                | '1234567890987654321'
-      :linkedin     | '<a href="//evil.com">https://example.com<a>'                | 'https://example.com'
-      :mastodon     | '<a href="//evil.com">@robin@example.com<a>'                 | '@robin@example.com'
-      :orcid        | '<a href="//evil.com">1234-1234-1234-1234<a>'                | '1234-1234-1234-1234'
-      :twitter      | '<a href="//evil.com">https://example.com<a>'                | 'https://example.com'
-      :website_url  | '<a href="//evil.com">https://example.com<a>'                | 'https://example.com'
-      :github       | '<a href="//evil.com">https://example.com<a>'                | 'https://example.com'
-      :location     | '<a href="//evil.com">https://example.com<a>'                | 'https://example.com'
-      :organization | '<a href="//evil.com">https://example.com<a>'                | 'https://example.com'
-
-      # iframe scripts sanitization
-      :bluesky      | '<iframe src=javascript:alert()><iframe>'                    | ''
-      :discord      | '<iframe src=javascript:alert()><iframe>'                    | ''
-      :linkedin     | '<iframe src=javascript:alert()><iframe>'                    | ''
-      :mastodon     | '<iframe src=javascript:alert()><iframe>'                    | ''
-      :orcid        | '<iframe src=javascript:alert()>1234-1234-1234-1234<iframe>' | ''
-      :twitter      | '<iframe src=javascript:alert()><iframe>'                    | ''
-      :website_url  | '<iframe src=javascript:alert()><iframe>'                    | ''
-      :github       | '<iframe src=javascript:alert()><iframe>'                    | ''
-      :location     | '<iframe src=javascript:alert()><iframe>'                    | ''
-      :organization | '<iframe src=javascript:alert()><iframe>'                    | ''
-
-      # js scripts sanitization
-      :bluesky      | '<script>alert("Test")</script>'                             | ''
-      :discord      | '<script>alert("Test")</script>'                             | ''
-      :linkedin     | '<script>alert("Test")</script>'                             | ''
-      :mastodon     | '<script>alert("Test")</script>'                             | ''
-      :orcid        | '<script>alert("Test")1234-1234-1234-1234</script>'          | ''
-      :twitter      | '<script>alert("Test")</script>'                             | ''
-      :website_url  | '<script>alert("Test")</script>'                             | ''
-      :github       | '<script>alert("Test")</script>'                             | ''
-      :location     | '<script>alert("Test")</script>'                             | ''
-      :organization | '<script>alert("Test")</script>'                             | ''
-
-      # HTML entities encoding - fields that encode & to &amp;
-      :linkedin     | 'test&attr'                                                  | 'test&amp;attr'
-      :twitter      | 'test&attr'                                                  | 'test&amp;attr'
-      :website_url  | 'http://example.com?test&attr'                               | 'http://example.com?test&amp;attr'
-      :github       | 'test&attr'                                                  | 'test&amp;attr'
-
-      # HTML entities NOT encoded - location, organization preserve &
-      :location     | 'test&attr'                                                  | 'test&attr'
-      :organization | 'test&attr'                                                  | 'test&attr'
+    shared_examples 'standard sanitization tests' do
+      # rubocop:disable Layout/LineLength -- Ignore long lines to keep single line table format
+      where(:field, :input, :expected) do
+        # HTML tags sanitization - all fields
+        :bluesky      | '<a href="//evil.com">did:plc:ewvi7nxzyoun6zhxrhs64oiz<a>'   | 'did:plc:ewvi7nxzyoun6zhxrhs64oiz'
+        :discord      | '<a href="//evil.com">1234567890987654321<a>'                | '1234567890987654321'
+        :linkedin     | '<a href="//evil.com">https://example.com<a>'                | 'https://example.com'
+        :mastodon     | '<a href="//evil.com">@robin@example.com<a>'                 | '@robin@example.com'
+        :orcid        | '<a href="//evil.com">1234-1234-1234-1234<a>'                | '1234-1234-1234-1234'
+        :twitter      | '<a href="//evil.com">https://example.com<a>'                | 'https://example.com'
+        :website_url  | '<a href="//evil.com">https://example.com<a>'                | 'https://example.com'
+        :github       | '<a href="//evil.com">https://example.com<a>'                | 'https://example.com'
+        :location     | '<a href="//evil.com">https://example.com<a>'                | 'https://example.com'
+        :organization | '<a href="//evil.com">https://example.com<a>'                | 'https://example.com'
+
+        # iframe scripts sanitization
+        :bluesky      | '<iframe src=javascript:alert()><iframe>'                    | ''
+        :discord      | '<iframe src=javascript:alert()><iframe>'                    | ''
+        :linkedin     | '<iframe src=javascript:alert()><iframe>'                    | ''
+        :mastodon     | '<iframe src=javascript:alert()><iframe>'                    | ''
+        :orcid        | '<iframe src=javascript:alert()>1234-1234-1234-1234<iframe>' | ''
+        :twitter      | '<iframe src=javascript:alert()><iframe>'                    | ''
+        :website_url  | '<iframe src=javascript:alert()><iframe>'                    | ''
+        :github       | '<iframe src=javascript:alert()><iframe>'                    | ''
+        :location     | '<iframe src=javascript:alert()><iframe>'                    | ''
+        :organization | '<iframe src=javascript:alert()><iframe>'                    | ''
+
+        # js scripts sanitization
+        :bluesky      | '<script>alert("Test")</script>'                             | ''
+        :discord      | '<script>alert("Test")</script>'                             | ''
+        :linkedin     | '<script>alert("Test")</script>'                             | ''
+        :mastodon     | '<script>alert("Test")</script>'                             | ''
+        :orcid        | '<script>alert("Test")1234-1234-1234-1234</script>'          | ''
+        :twitter      | '<script>alert("Test")</script>'                             | ''
+        :website_url  | '<script>alert("Test")</script>'                             | ''
+        :github       | '<script>alert("Test")</script>'                             | ''
+        :location     | '<script>alert("Test")</script>'                             | ''
+        :organization | '<script>alert("Test")</script>'                             | ''
+      end
+      # rubocop:enable Layout/LineLength
+
+      with_them do
+        it { is_expected.to be_valid }
+        it { is_expected.to have_attributes field => expected }
+      end
     end
 
-    with_them do
-      it { is_expected.to be_valid }
-      it { is_expected.to have_attributes field => expected }
+    it_behaves_like 'standard sanitization tests'
+
+    context 'with valid field inputs' do
+      where(:field, :input, :expected) do
+        # HTML entities NOT encoding - fields that encode & to &amp;
+        :linkedin     | 'test&attr'                                  | 'test&attr'
+        :twitter      | 'test&attr'                                  | 'test&attr'
+        :website_url  | 'http://example.com?test&attr'               | 'http://example.com?test&attr'
+        :github       | 'test&attr'                                  | 'test&attr'
+
+        # HTML entities NOT encoded - location, organization preserve &
+        :location     | 'test&attr'                                  | 'test&attr'
+        :organization | 'test&attr'                                  | 'test&attr'
+
+        # Legitimate edge cases
+        :website_url  | 'https://example.com/search?q=hello%20world' | 'https://example.com/search?q=hello%20world'
+        :twitter      | 'https://twitter.com/user'                   | 'https://twitter.com/user'
+        :linkedin     | 'https://linkedin.com/in/user-name'          | 'https://linkedin.com/in/user-name'
+        :twitter      | '@user_name'                                 | '@user_name'
+        :discord      | '123456789012345678'                         | '123456789012345678'
+        :website_url  | 'https://example.com?foo=bar&baz=qux'        | 'https://example.com?foo=bar&baz=qux'
+        :github       | 'https://github.com/user/repo'               | 'https://github.com/user/repo'
+        :website_url  | 'https://example.com/path/to/page'           | 'https://example.com/path/to/page'
+      end
+
+      with_them do
+        it { is_expected.to be_valid }
+        it { is_expected.to have_attributes field => expected }
+      end
+    end
+
+    context 'with invalid field inputs' do
+      where(:field, :input, :error_message) do
+        :bluesky     | '&lt;script&gt;alert(1)&lt;/script&gt;'   | 'cannot contain escaped HTML entities'
+        :discord     | '&lt;script&gt;alert(1)&lt;/script&gt;'   | 'cannot contain escaped HTML entities'
+        :linkedin    | '&lt;script&gt;alert(1)&lt;/script&gt;'   | 'cannot contain escaped HTML entities'
+        :mastodon    | '&lt;script&gt;alert(1)&lt;/script&gt;'   | 'cannot contain escaped HTML entities'
+        :orcid       | '&lt;script&gt;alert(1)&lt;/script&gt;'   | 'cannot contain escaped HTML entities'
+        :twitter     | '&lt;script&gt;alert(1)&lt;/script&gt;'   | 'cannot contain escaped HTML entities'
+        :website_url | '&lt;script&gt;alert(1)&lt;/script&gt;'   | 'cannot contain escaped HTML entities'
+        :github      | '&lt;script&gt;alert(1)&lt;/script&gt;'   | 'cannot contain escaped HTML entities'
+
+        :bluesky     | '%2526lt%253Bscript%2526gt%253B'          | 'cannot contain escaped components'
+        :discord     | '%2526lt%253Bscript%2526gt%253B'          | 'cannot contain escaped components'
+        :linkedin    | '%2526lt%253Bscript%2526gt%253B'          | 'cannot contain escaped components'
+        :mastodon    | '%2526lt%253Bscript%2526gt%253B'          | 'cannot contain escaped components'
+        :orcid       | '%2526lt%253Bscript%2526gt%253B'          | 'cannot contain escaped components'
+        :twitter     | '%2526lt%253Bscript%2526gt%253B'          | 'cannot contain escaped components'
+        :website_url | '%2526lt%253Bscript%2526gt%253B'          | 'cannot contain escaped components'
+        :github      | '%2526lt%253Bscript%2526gt%253B'          | 'cannot contain escaped components'
+
+        :bluesky     | 'main../../../../../../api/v4/projects/1' | 'cannot contain a path traversal component'
+        :discord     | 'main../../../../../../api/v4/projects/1' | 'cannot contain a path traversal component'
+        :linkedin    | 'main../../../../../../api/v4/projects/1' | 'cannot contain a path traversal component'
+        :mastodon    | 'main../../../../../../api/v4/projects/1' | 'cannot contain a path traversal component'
+        :orcid       | 'main../../../../../../api/v4/projects/1' | 'cannot contain a path traversal component'
+        :twitter     | 'main../../../../../../api/v4/projects/1' | 'cannot contain a path traversal component'
+        :website_url | 'main../../../../../../api/v4/projects/1' | 'cannot contain a path traversal component'
+        :github      | 'main../../../../../../api/v4/projects/1' | 'cannot contain a path traversal component'
+      end
+
+      with_them do
+        it { is_expected.not_to be_valid }
+        it { is_expected.to have_attributes errors: hash_including(field => array_including(error_message)) }
+      end
+    end
+
+    context 'when feature flag :validate_sanitizable_user_details is disabled' do
+      before do
+        stub_feature_flags(validate_sanitizable_user_details: false)
+      end
+
+      it_behaves_like 'standard sanitization tests'
+
+      where(:field, :input, :expected) do
+        # HTML entities encoding - fields that encode & to &amp;
+        :linkedin     | 'test&attr'                                 | 'test&amp;attr'
+        :twitter      | 'test&attr'                                 | 'test&amp;attr'
+        :website_url  | 'http://example.com?test&attr'              | 'http://example.com?test&amp;attr'
+        :github       | 'test&attr'                                 | 'test&amp;attr'
+
+        # HTML entities NOT encoded - location, organization preserve &
+        :location     | 'test&attr'                                 | 'test&attr'
+        :organization | 'test&attr'                                 | 'test&attr'
+
+        # Does not apply Sanitizable validations
+        :twitter      | '&lt;script&gt;alert(1)&lt;/script&gt;'     | '&lt;script&gt;alert(1)&lt;/script&gt;'
+        :linkedin     | '%2526lt%253Bscript%2526gt%253B'            | '%2526lt%253Bscript%2526gt%253B'
+        :github       | 'main../../../../../../api/v4/projects/1'   | 'main../../../../../../api/v4/projects/1'
+      end
+
+      with_them do
+        it { is_expected.to be_valid }
+        it { is_expected.to have_attributes field => expected }
+      end
     end
   end
 
diff --git a/spec/requests/api/users_spec.rb b/spec/requests/api/users_spec.rb
index f108e73c9791dc9124c2743fa17160b0960dd143..30839306c606d37a2f308f1ef41fb2dbfb3a62ba 100644
--- a/spec/requests/api/users_spec.rb
+++ b/spec/requests/api/users_spec.rb
@@ -1940,6 +1940,87 @@ def update_password(user, admin, password = User.random_password)
       end
     end
 
+    context 'when updating user_details with sanitizable fields' do
+      using RSpec::Parameterized::TableSyntax
+
+      let_it_be(:user_for_details) { create(:user) }
+      let(:details_path) { "/users/#{user_for_details.id}" }
+
+      subject(:put_request_response) { put api(details_path, admin, admin_mode: true), params: params }
+
+      shared_examples 'successful user_details update' do
+        with_them do
+          it 'responds :ok and sets the field correctly' do
+            put_request_response
+
+            expect(response).to have_gitlab_http_status(:ok)
+            expect(json_response).to include(expected_attributes)
+          end
+        end
+      end
+
+      shared_examples 'rejected user_details update' do
+        with_them do
+          it 'responds :bad_request with validation error' do
+            put_request_response
+
+            expect(response).to have_gitlab_http_status(:bad_request)
+            expect(json_response['message'].values.flatten).to include(match(expected_error))
+          end
+        end
+      end
+
+      context 'with valid input' do
+        where(:params, :expected_attributes) do
+          { linkedin: 'https://linkedin.com/in/username' }  | { 'linkedin' => 'https://linkedin.com/in/username' }
+          { website_url: 'https://example.com?a=1&b=2' }    | { 'website_url' => 'https://example.com?a=1&b=2' }
+          { twitter: '<script>alert("xss")</script>@user' } | { 'twitter' => '@user' }
+        end
+
+        it_behaves_like 'successful user_details update'
+      end
+
+      context 'with invalid input' do
+        where(:params, :expected_error) do
+          { linkedin: '&lt;script&gt;alert(1)&lt;/script&gt;' } | /cannot contain escaped HTML entities/
+          { website_url: '%2526lt%253Bscript%2526gt%253B' }     | /cannot contain escaped components/
+          { github: 'main../../../../../../etc/passwd' }        | /cannot contain a path traversal component/
+        end
+
+        it_behaves_like 'rejected user_details update'
+      end
+
+      context 'when feature flag :validate_sanitizable_user_details is disabled' do
+        before do
+          stub_feature_flags(validate_sanitizable_user_details: false)
+        end
+
+        context 'with valid input' do
+          where(:params, :expected_attributes) do
+            { linkedin: 'https://linkedin.com/in/username' }  | { 'linkedin' => 'https://linkedin.com/in/username' }
+            { website_url: 'https://example.com?a=1&b=2' }    | { 'website_url' => 'https://example.com?a=1&b=2' }
+            { twitter: '<script>alert("xss")</script>@user' } | { 'twitter' => '@user' }
+
+            # Valid inputs when the feature flag :validate_sanitizable_user_details is enabled
+            { linkedin: '&lt;script&gt;alert(1)&lt;/script&gt;' } | { 'linkedin' => '&lt;script&gt;alert(1)&lt;/script&gt;' }
+            { website_url: '%2526lt%253Bscript%2526gt%253B' }     | { 'website_url' => '%2526lt%253Bscript%2526gt%253B' }
+            { github: 'main../../../../../../etc/passwd' }        | { 'github' => 'main../../../../../../etc/passwd' }
+          end
+
+          it_behaves_like 'successful user_details update'
+        end
+
+        context 'with input that was already invalid before this MR' do
+          where(:params, :expected_error) do
+            { linkedin: 'a' * 501 }            | /is too long/
+            { website_url: 'not-a-valid-url' } | /is not a valid URL/
+          end
+
+          it_behaves_like 'rejected user_details update'
+        end
+      end
+    end
+
     it 'updates user with avatar' do
       workhorse_form_with_file(
         api(path, admin, admin_mode: true),