fix: code review — XSS, type safety, validation improvements

Critical: - InvoiceDetail: sanitize notes HTML with DOMPurify - OrderDetail: use proper DOMPurify import instead of window fallback Important: - AttendanceBalances: add fund_to_date to interface, remove as-any casts - All schemas: replace z.any() with z.preprocess for boolean fields - Routes: simplify boolean coercion (Zod handles it now) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-24 20:13:20 +01:00
parent 3c167cf5c4
commit 106606f3fa
17 changed files with 63 additions and 46 deletions
--- a/src/admin/pages/InvoiceDetail.tsx
+++ b/src/admin/pages/InvoiceDetail.tsx
@@ -5,6 +5,7 @@ import {
  useParams,
  Link,
 } from "react-router-dom";
+import DOMPurify from "dompurify";
 import { useAlert } from "../context/AlertContext";
 import { useAuth } from "../context/AuthContext";
 import Forbidden from "../components/Forbidden";
@@ -1969,7 +1970,9 @@ export default function InvoiceDetail() {
        <h3 className="admin-card-title">Veřejné poznámky na faktuře</h3>
        {isPaid ? (
          notes && notes.trim() && notes !== "<p><br></p>" ? (
-            <div dangerouslySetInnerHTML={{ __html: notes }} />
+            <div
+              dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(notes) }}
+            />
          ) : (
            <p className="text-tertiary">Žádné poznámky.</p>
          )