fix: code review — XSS, type safety, validation improvements
Critical: - InvoiceDetail: sanitize notes HTML with DOMPurify - OrderDetail: use proper DOMPurify import instead of window fallback Important: - AttendanceBalances: add fund_to_date to interface, remove as-any casts - All schemas: replace z.any() with z.preprocess for boolean fields - Routes: simplify boolean coercion (Zod handles it now) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -7,7 +7,7 @@ export const CreateBankAccountSchema = z.object({
|
||||
iban: z.string().nullish(),
|
||||
bic: z.string().nullish(),
|
||||
currency: z.string().optional().default("CZK"),
|
||||
is_default: z.any().optional().default(false),
|
||||
is_default: z.preprocess(v => v === true || v === 1 || v === "1", z.boolean()).optional().default(false),
|
||||
position: z
|
||||
.union([z.number(), z.string()])
|
||||
.transform((v) => Number(v))
|
||||
@@ -22,7 +22,7 @@ export const UpdateBankAccountSchema = z.object({
|
||||
iban: z.string().nullish(),
|
||||
bic: z.string().nullish(),
|
||||
currency: z.string().optional(),
|
||||
is_default: z.any().optional(),
|
||||
is_default: z.preprocess(v => v === true || v === 1 || v === "1", z.boolean()).optional(),
|
||||
position: z
|
||||
.union([z.number(), z.string()])
|
||||
.transform((v) => Number(v))
|
||||
|
||||
Reference in New Issue
Block a user