fix: security hardening, UI fixes, and validation improvements

- Fix header nav overflow by switching to lg: breakpoint with tighter gaps
- Fix file upload path traversal by whitelisting allowed folders and extensions
- Fix BookingModal using hardcoded content instead of DB-backed data
- Add input length validation on public master-class registration API
- Add ID validation on team member and reorder API routes
- Fix BookingModal useCallback missing groupInfo/contact dependencies
- Improve admin news date field to use native date picker
- Add missing Мастер-классы and Новости cards to admin dashboard

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

src/app/admin/news/page.tsx

@@ -122,12 +122,15 @@ export default function NewsEditorPage() {
                     value={item.title}
                     onChange={(v) => updateItem({ ...item, title: v })}
                   />
-                  <InputField
+                  <div>
-                    label="Дата"
+                    <label className="block text-sm text-neutral-400 mb-1.5">Дата</label>
-                    value={item.date}
+                    <input
-                    onChange={(v) => updateItem({ ...item, date: v })}
+                      type="date"
-                    placeholder="2026-03-15"
+                      value={item.date}
-                  />
+                      onChange={(e) => updateItem({ ...item, date: e.target.value })}
+                      className="w-full rounded-lg border border-white/10 bg-neutral-800 px-4 py-2.5 text-white outline-none focus:border-gold transition-colors [color-scheme:dark]"
+                    />
+                  </div>
                 </div>
                 <TextareaField
                   label="Текст"

src/app/admin/page.tsx

@@ -5,9 +5,11 @@ import {
   FileText,
   Users,
   BookOpen,
+  Star,
   Calendar,
   DollarSign,
   HelpCircle,
+  Newspaper,
   Phone,
 } from "lucide-react";
 
@@ -17,9 +19,11 @@ const CARDS = [
   { href: "/admin/about", label: "О студии", icon: FileText, desc: "Текст о студии" },
   { href: "/admin/team", label: "Команда", icon: Users, desc: "Тренеры и инструкторы" },
   { href: "/admin/classes", label: "Направления", icon: BookOpen, desc: "Типы занятий" },
+  { href: "/admin/master-classes", label: "Мастер-классы", icon: Star, desc: "Мастер-классы и записи" },
   { href: "/admin/schedule", label: "Расписание", icon: Calendar, desc: "Расписание занятий" },
   { href: "/admin/pricing", label: "Цены", icon: DollarSign, desc: "Абонементы и аренда" },
   { href: "/admin/faq", label: "FAQ", icon: HelpCircle, desc: "Часто задаваемые вопросы" },
+  { href: "/admin/news", label: "Новости", icon: Newspaper, desc: "Новости и анонсы" },
   { href: "/admin/contact", label: "Контакты", icon: Phone, desc: "Адреса, телефон, карта" },
 ];
 

src/app/api/admin/team/[id]/route.ts

@@ -4,9 +4,18 @@ import { revalidatePath } from "next/cache";
 
 type Params = { params: Promise<{ id: string }> };
 
+function parseId(raw: string): number | null {
+  const n = Number(raw);
+  return Number.isInteger(n) && n > 0 ? n : null;
+}
+
 export async function GET(_request: NextRequest, { params }: Params) {
   const { id } = await params;
-  const member = getTeamMember(Number(id));
+  const numId = parseId(id);
+  if (!numId) {
+    return NextResponse.json({ error: "Invalid ID" }, { status: 400 });
+  }
+  const member = getTeamMember(numId);
   if (!member) {
     return NextResponse.json({ error: "Not found" }, { status: 404 });
   }
@@ -15,15 +24,23 @@ export async function GET(_request: NextRequest, { params }: Params) {
 
 export async function PUT(request: NextRequest, { params }: Params) {
   const { id } = await params;
+  const numId = parseId(id);
+  if (!numId) {
+    return NextResponse.json({ error: "Invalid ID" }, { status: 400 });
+  }
   const data = await request.json();
-  updateTeamMember(Number(id), data);
+  updateTeamMember(numId, data);
   revalidatePath("/");
   return NextResponse.json({ ok: true });
 }
 
 export async function DELETE(_request: NextRequest, { params }: Params) {
   const { id } = await params;
-  deleteTeamMember(Number(id));
+  const numId = parseId(id);
+  if (!numId) {
+    return NextResponse.json({ error: "Invalid ID" }, { status: 400 });
+  }
+  deleteTeamMember(numId);
   revalidatePath("/");
   return NextResponse.json({ ok: true });
 }

src/app/api/admin/team/reorder/route.ts

@@ -5,8 +5,8 @@ import { revalidatePath } from "next/cache";
 export async function PUT(request: NextRequest) {
   const { ids } = await request.json() as { ids: number[] };
 
-  if (!Array.isArray(ids) || ids.length === 0) {
+  if (!Array.isArray(ids) || ids.length === 0 || !ids.every((id) => Number.isInteger(id) && id > 0)) {
-    return NextResponse.json({ error: "ids array required" }, { status: 400 });
+    return NextResponse.json({ error: "ids must be a non-empty array of positive integers" }, { status: 400 });
   }
 
   reorderTeamMembers(ids);

src/app/api/admin/upload/route.ts

@@ -3,12 +3,15 @@ import { writeFile, mkdir } from "fs/promises";
 import path from "path";
 
 const ALLOWED_TYPES = ["image/jpeg", "image/png", "image/webp", "image/avif"];
+const ALLOWED_EXTENSIONS = [".jpg", ".jpeg", ".png", ".webp", ".avif"];
+const ALLOWED_FOLDERS = ["team", "master-classes", "news", "classes"];
 const MAX_SIZE = 5 * 1024 * 1024; // 5MB
 
 export async function POST(request: NextRequest) {
   const formData = await request.formData();
   const file = formData.get("file") as File | null;
-  const folder = (formData.get("folder") as string) || "team";
+  const rawFolder = (formData.get("folder") as string) || "team";
+  const folder = ALLOWED_FOLDERS.includes(rawFolder) ? rawFolder : "team";
 
   if (!file) {
     return NextResponse.json({ error: "No file provided" }, { status: 400 });
@@ -28,8 +31,14 @@ export async function POST(request: NextRequest) {
     );
   }
 
-  // Sanitize filename
+  // Validate and sanitize filename
-  const ext = path.extname(file.name) || ".webp";
+  const ext = path.extname(file.name).toLowerCase() || ".webp";
+  if (!ALLOWED_EXTENSIONS.includes(ext)) {
+    return NextResponse.json(
+      { error: "Invalid file extension" },
+      { status: 400 }
+    );
+  }
   const baseName = file.name
     .replace(ext, "")
     .toLowerCase()

src/app/api/master-class-register/route.ts

@@ -6,21 +6,24 @@ export async function POST(request: Request) {
     const body = await request.json();
     const { masterClassTitle, name, instagram, telegram } = body;
 
-    if (!masterClassTitle || typeof masterClassTitle !== "string") {
+    if (!masterClassTitle || typeof masterClassTitle !== "string" || masterClassTitle.length > 200) {
       return NextResponse.json({ error: "masterClassTitle is required" }, { status: 400 });
     }
-    if (!name || typeof name !== "string" || !name.trim()) {
+    if (!name || typeof name !== "string" || !name.trim() || name.length > 100) {
-      return NextResponse.json({ error: "name is required" }, { status: 400 });
+      return NextResponse.json({ error: "name is required (max 100 chars)" }, { status: 400 });
     }
-    if (!instagram || typeof instagram !== "string" || !instagram.trim()) {
+    if (!instagram || typeof instagram !== "string" || !instagram.trim() || instagram.length > 100) {
       return NextResponse.json({ error: "Instagram аккаунт обязателен" }, { status: 400 });
     }
+    if (telegram && (typeof telegram !== "string" || telegram.length > 100)) {
+      return NextResponse.json({ error: "Telegram too long" }, { status: 400 });
+    }
 
     const id = addMcRegistration(
-      masterClassTitle.trim(),
+      masterClassTitle.trim().slice(0, 200),
-      name.trim(),
+      name.trim().slice(0, 100),
-      instagram.trim(),
+      instagram.trim().slice(0, 100),
-      telegram && typeof telegram === "string" ? telegram.trim() : undefined
+      telegram && typeof telegram === "string" ? telegram.trim().slice(0, 100) : undefined
     );
 
     return NextResponse.json({ ok: true, id });

src/components/layout/Header.tsx

@@ -100,14 +100,14 @@ export function Header() {
           </span>
         </Link>
 
-        <nav className="hidden items-center gap-8 md:flex">
+        <nav className="hidden items-center gap-3 lg:gap-5 xl:gap-6 lg:flex">
           {visibleLinks.map((link) => {
             const isActive = activeSection === link.href.replace("#", "");
             return (
               <a
                 key={link.href}
                 href={link.href}
-                className={`relative py-1 text-sm font-medium transition-all duration-300 after:absolute after:bottom-0 after:left-0 after:h-[2px] after:bg-gold after:transition-all after:duration-300 ${
+                className={`relative whitespace-nowrap py-1 text-xs lg:text-sm font-medium transition-all duration-300 after:absolute after:bottom-0 after:left-0 after:h-[2px] after:bg-gold after:transition-all after:duration-300 ${
                   isActive
                     ? "text-gold-light after:w-full"
                     : "text-neutral-400 after:w-0 hover:text-white hover:after:w-full"
@@ -125,7 +125,7 @@ export function Header() {
           </button>
         </nav>
 
-        <div className="flex items-center gap-2 md:hidden">
+        <div className="flex items-center gap-2 lg:hidden">
           <button
             onClick={() => setMenuOpen(!menuOpen)}
             aria-label="Меню"
@@ -138,7 +138,7 @@ export function Header() {
 
       {/* Mobile menu */}
       <div
-        className={`overflow-hidden transition-all duration-300 md:hidden ${
+        className={`overflow-hidden transition-all duration-300 lg:hidden ${
           menuOpen ? "max-h-80 opacity-100" : "max-h-0 opacity-0"
         }`}
       >
@@ -175,7 +175,7 @@ export function Header() {
       {/* Floating booking button — visible on scroll, mobile */}
       <button
         onClick={() => setBookingOpen(true)}
-        className={`fixed bottom-6 right-6 z-40 flex items-center gap-2 rounded-full bg-gold px-5 py-3 text-sm font-semibold text-black shadow-lg shadow-gold/25 transition-all duration-500 hover:bg-gold-light hover:shadow-xl hover:shadow-gold/30 cursor-pointer md:hidden ${
+        className={`fixed bottom-6 right-6 z-40 flex items-center gap-2 rounded-full bg-gold px-5 py-3 text-sm font-semibold text-black shadow-lg shadow-gold/25 transition-all duration-500 hover:bg-gold-light hover:shadow-xl hover:shadow-gold/30 cursor-pointer lg:hidden ${
           scrolled ? "translate-y-0 opacity-100" : "translate-y-16 opacity-0 pointer-events-none"
         }`}
       >

src/components/ui/BookingModal.tsx

@@ -3,16 +3,22 @@
 import { useState, useEffect, useCallback } from "react";
 import { createPortal } from "react-dom";
 import { X, Instagram, Send, CheckCircle, Phone } from "lucide-react";
-import { siteContent } from "@/data/content";
+import { BRAND } from "@/lib/constants";
 
 interface BookingModalProps {
   open: boolean;
   onClose: () => void;
   groupInfo?: string;
+  contact?: { instagram: string; phone: string };
 }
 
-export function BookingModal({ open, onClose, groupInfo }: BookingModalProps) {
+const DEFAULT_CONTACT = {
-  const { contact } = siteContent;
+  instagram: BRAND.instagram,
+  phone: "+375 29 389-70-01",
+};
+
+export function BookingModal({ open, onClose, groupInfo, contact: contactProp }: BookingModalProps) {
+  const contact = contactProp ?? DEFAULT_CONTACT;
   const [name, setName] = useState("");
   const [phone, setPhone] = useState("+375 ");
 
@@ -72,7 +78,7 @@ export function BookingModal({ open, onClose, groupInfo }: BookingModalProps) {
       window.open(instagramUrl, "_blank");
       setSubmitted(true);
     },
-    [name, phone]
+    [name, phone, groupInfo, contact]
   );
 
   const handleClose = useCallback(() => {