diana.dolgolyova/blackheart-website
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: 4 bugs from regression testing

Browse Source 
- BUG-1: Strip HTML tags in sanitizeName (prevent stored XSS)
- BUG-2: Strip HTML tags in notes via sanitizeText across all 3 booking APIs
- BUG-3: Dashboard excludes archived/past MCs and expired Open Day events from counts
- BUG-4: Truncate long names in booking cards to prevent overflow
This commit is contained in:
Diana Dolgolyova
2026-03-24 16:43:19 +03:00
parent aa0cfe35c3
commit 2c64951cb3
6 changed files with 33 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/app/admin/bookings/GenericBookingsList.tsx
View File

@@ -86,7 +86,7 @@ export function GenericBookingsList<T extends BaseBooking>({
<BookingCard key={item.id} status={item.status}>
<div className="flex items-start justify-between gap-3">
<div className="flex items-center gap-2 flex-wrap text-sm min-w-0">
<span className="font-medium text-white">{item.name}</span>
<span className="font-medium text-white truncate max-w-[200px]">{item.name}</span>
<ContactLinks phone={item.phone} instagram={item.instagram} telegram={item.telegram} />
{renderExtra?.(item)}
</div>

26
src/app/admin/bookings/page.tsx
View File

@@ -568,17 +568,31 @@ function DashboardSummary({ onNavigate }: { onNavigate: (tab: Tab) => void }) {
const [counts, setCounts] = useState<DashboardCounts | null>(null);
useEffect(() => {
const today = new Date().toISOString().split("T")[0];
const tomorrow = new Date(Date.now() + 86400000).toISOString().split("T")[0];
Promise.all([
adminFetch("/api/admin/group-bookings").then((r) => r.json()),
adminFetch("/api/admin/mc-registrations").then((r) => r.json()),
adminFetch("/api/admin/open-day").then((r) => r.json()).then(async (events: { id: number }[]) => {
if (events.length === 0) return [];
return adminFetch(`/api/admin/open-day/bookings?eventId=${events[0].id}`).then((r) => r.json());
// Fetch MC registrations + section data to filter out archived
Promise.all([
adminFetch("/api/admin/mc-registrations").then((r) => r.json()),
adminFetch("/api/admin/sections/masterClasses").then((r) => r.json()),
]).then(([regs, mcData]: [{ status: string; masterClassTitle: string }[], { items?: { title: string; slots: { date: string }[] }[] }]) => {
// Build set of upcoming MC titles
const upcomingTitles = new Set<string>();
for (const mc of mcData.items || []) {
if (mc.slots?.some((s) => s.date >= today)) upcomingTitles.add(mc.title);
}
return regs.filter((r) => upcomingTitles.has(r.masterClassTitle));
}),
// Fetch Open Day — only upcoming events
adminFetch("/api/admin/open-day").then((r) => r.json()).then(async (events: { id: number; date: string }[]) => {
const active = events.find((e) => e.date >= today);
if (!active) return [];
return adminFetch(`/api/admin/open-day/bookings?eventId=${active.id}`).then((r) => r.json());
}),
adminFetch("/api/admin/reminders").then((r) => r.json()).catch(() => []),
]).then(([gb, mc, od, rem]: [{ status: string }[], { status: string }[], { status: string }[], { eventDate: string }[]]) => {
const today = new Date().toISOString().split("T")[0];
const tomorrow = new Date(Date.now() + 86400000).toISOString().split("T")[0];
setCounts({
classesNew: gb.filter((b) => b.status === "new").length,
classesContacted: gb.filter((b) => b.status === "contacted").length,

3
src/app/api/admin/group-bookings/route.ts
View File

@@ -1,6 +1,7 @@
import { NextRequest, NextResponse } from "next/server";
import { getGroupBookings, addGroupBooking, toggleGroupBookingNotification, deleteGroupBooking, setGroupBookingStatus, updateBookingNotes } from "@/lib/db";
import type { BookingStatus } from "@/lib/db";
import { sanitizeText } from "@/lib/validation";
export async function GET() {
const bookings = getGroupBookings();
@@ -35,7 +36,7 @@ export async function PUT(request: NextRequest) {
if (body.action === "set-notes") {
const { id, notes } = body;
if (!id) return NextResponse.json({ error: "id is required" }, { status: 400 });
updateBookingNotes("group_bookings", id, notes ?? "");
updateBookingNotes("group_bookings", id, sanitizeText(notes, 1000) ?? "");
return NextResponse.json({ ok: true });
}
return NextResponse.json({ error: "Unknown action" }, { status: 400 });

3
src/app/api/admin/mc-registrations/route.ts
View File

@@ -1,5 +1,6 @@
import { NextRequest, NextResponse } from "next/server";
import { getMcRegistrations, getAllMcRegistrations, addMcRegistration, updateMcRegistration, toggleMcNotification, deleteMcRegistration, setMcRegistrationStatus, updateBookingNotes } from "@/lib/db";
import { sanitizeText } from "@/lib/validation";
export async function GET(request: NextRequest) {
const title = request.nextUrl.searchParams.get("title");
@@ -44,7 +45,7 @@ export async function PUT(request: NextRequest) {
if (body.action === "set-notes") {
const { id, notes } = body;
if (!id) return NextResponse.json({ error: "id is required" }, { status: 400 });
updateBookingNotes("mc_registrations", id, notes ?? "");
updateBookingNotes("mc_registrations", id, sanitizeText(notes, 1000) ?? "");
return NextResponse.json({ ok: true });
}

3
src/app/api/admin/open-day/bookings/route.ts
View File

@@ -6,6 +6,7 @@ import {
setOpenDayBookingStatus,
updateBookingNotes,
} from "@/lib/db";
import { sanitizeText } from "@/lib/validation";
export async function GET(request: NextRequest) {
const eventIdStr = request.nextUrl.searchParams.get("eventId");
@@ -30,7 +31,7 @@ export async function PUT(request: NextRequest) {
if (body.action === "set-notes") {
const { id, notes } = body;
if (!id) return NextResponse.json({ error: "id is required" }, { status: 400 });
updateBookingNotes("open_day_bookings", id, notes ?? "");
updateBookingNotes("open_day_bookings", id, sanitizeText(notes, 1000) ?? "");
return NextResponse.json({ ok: true });
}
if (body.action === "toggle-notify") {