diana.dolgolyova/blackheart-website
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: 4 bugs from regression testing

Browse Source 
- BUG-1: Strip HTML tags in sanitizeName (prevent stored XSS)
- BUG-2: Strip HTML tags in notes via sanitizeText across all 3 booking APIs
- BUG-3: Dashboard excludes archived/past MCs and expired Open Day events from counts
- BUG-4: Truncate long names in booking cards to prevent overflow
This commit is contained in:
Diana Dolgolyova
2026-03-24 16:43:19 +03:00
parent aa0cfe35c3
commit 2c64951cb3
6 changed files with 33 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
src/app/api/admin/open-day/bookings/route.ts
View File

@@ -6,6 +6,7 @@ import {
setOpenDayBookingStatus,
updateBookingNotes,
} from "@/lib/db";
import { sanitizeText } from "@/lib/validation";
export async function GET(request: NextRequest) {
const eventIdStr = request.nextUrl.searchParams.get("eventId");
@@ -30,7 +31,7 @@ export async function PUT(request: NextRequest) {
if (body.action === "set-notes") {
const { id, notes } = body;
if (!id) return NextResponse.json({ error: "id is required" }, { status: 400 });
updateBookingNotes("open_day_bookings", id, notes ?? "");
updateBookingNotes("open_day_bookings", id, sanitizeText(notes, 1000) ?? "");
return NextResponse.json({ ok: true });
}
if (body.action === "toggle-notify") {