/* ── Shared input sanitization ────────────────────────────────────────── */

/**
 * Strip HTML tags from a string.
 * Use on user-supplied text that will be stored or rendered.
 */
function stripTags(str) {
  if (typeof str !== 'string') return str;
  let s = str;
  let prev;
  do { prev = s; s = s.replace(/<[^>]*>?/g, ''); } while (s !== prev);
  return s.trim();
}

/**
 * Sanitize an object's string fields in-place.
 * @param {object} obj
 * @param {string[]} fields — keys to sanitize
 */
function sanitizeFields(obj, fields) {
  for (const f of fields) {
    if (typeof obj[f] === 'string') obj[f] = stripTags(obj[f]);
  }
  return obj;
}

module.exports = { stripTags, sanitizeFields };