letsbe/pn-new-crm
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

chore(autonomous-session): consolidate uncommitted work from prior session

Browse Source 
Bundles the prior autonomous-session output that was sitting unstaged:

- Em-dash sweep across src/ + tests/ (en-dash/em-dash to hyphen, ~2280 instances)
- country-flag-icons rollout (CountryFlag component, replaces emoji glyphs that
  never rendered on Windows; lazy-loads the 3x2 SVG index as a single chunk
  after the per-subpath dynamic-import approach silently failed in webpack)
- Admin IA Phase 1+2: 7-domain regroup, 41 to 38 pages, /admin/berths index,
  redirects (ocr to ai, reports to dashboard, invitations to users),
  docs/admin-ia-proposal.md
- Per-template email tester (registry + endpoint + UI on Email admin page)
- Cancel-document mode picker (delete-from-Documenso vs keep-for-audit)
- Dashboard PDF report: 25 widgets, SVG charts, date-range picker, 11 resolvers
- Customize-widgets per-region sortables at xl+ (charts/rails/feed); single
  flat sortable below xl when the layout stacks; per-viewport saved orders
- Audit doc updates capturing each shipped item
- Lint fixes: react-compiler immutability in DonutChart (reduce instead of
  let-reassign), set-state-in-effect disables in CountryFlag and
  UploadForSigning preview-bytes effect, unused 'confirm' destructures in
  interest contract + reservation tabs, unescaped apostrophe in test-template
  card copy
This commit is contained in:
Matt
2026-05-23 00:52:59 +02:00
parent 43719b49e9
commit 221ae5784e
749 changed files with 7440 additions and 3118 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
tests/unit/markdown-email-sanitization.test.ts
View File

@@ -3,7 +3,7 @@
*
* Every code path that turns rep-authored markdown into the email's
* `html` body is required to go through `renderEmailBody()`. These tests
* are the canary if any future change to the renderer lets a known XSS
* are the canary - if any future change to the renderer lets a known XSS
* payload through, the test breaks before the change ships.
*/
import { describe, expect, it } from 'vitest';
@@ -16,7 +16,7 @@ import {
renderEmailBody,
} from '@/lib/utils/markdown-email';
describe('renderEmailBody XSS payload coverage', () => {
describe('renderEmailBody - XSS payload coverage', () => {
it('escapes <script> tags so they render as text, not active script', () => {
const html = renderEmailBody('Hi <script>alert(1)</script> there');
expect(html).not.toContain('<script>');
@@ -68,7 +68,7 @@ describe('renderEmailBody — XSS payload coverage', () => {
it('escapes attribute-style XSS attempts (no live <svg> tag survives)', () => {
const html = renderEmailBody('"><svg onload=alert(1)>');
// The literal "<svg" must never appear unescaped the angle bracket is
// The literal "<svg" must never appear unescaped - the angle bracket is
// what the browser parses, not the word "onload".
expect(html).not.toContain('<svg');
expect(html).toContain('&lt;svg');
@@ -92,7 +92,7 @@ describe('renderEmailBody — XSS payload coverage', () => {
});
});
describe('renderEmailBody markdown rules', () => {
describe('renderEmailBody - markdown rules', () => {
it('renders **bold** as <strong>', () => {
expect(renderEmailBody('this is **bold**')).toContain('<strong>bold</strong>');
});