diana.dolgolyova/blackheart-website
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: 4 bugs from regression testing

Browse Source 
- BUG-1: Strip HTML tags in sanitizeName (prevent stored XSS)
- BUG-2: Strip HTML tags in notes via sanitizeText across all 3 booking APIs
- BUG-3: Dashboard excludes archived/past MCs and expired Open Day events from counts
- BUG-4: Truncate long names in booking cards to prevent overflow
This commit is contained in:
Diana Dolgolyova
2026-03-24 16:43:19 +03:00
parent aa0cfe35c3
commit 2c64951cb3
6 changed files with 33 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/lib/validation.ts
View File

@@ -2,9 +2,13 @@
* Shared input sanitization for public registration endpoints.
*/
function stripHtml(str: string): string {
return str.replace(/<[^>]*>/g, "");
}
export function sanitizeName(name: unknown): string | null {
if (!name || typeof name !== "string") return null;
const clean = name.trim().slice(0, 100);
const clean = stripHtml(name).trim().slice(0, 100);
return clean || null;
}
@@ -22,6 +26,6 @@ export function sanitizeHandle(value: unknown): string | undefined {
export function sanitizeText(value: unknown, maxLength: number = 200): string | undefined {
if (!value || typeof value !== "string") return undefined;
const clean = value.trim().slice(0, maxLength);
const clean = stripHtml(value).trim().slice(0, maxLength);
return clean || undefined;
}