boha_admin/app
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 26 Wiki Activity

fix: code review — XSS, type safety, validation improvements

Browse Source 
Critical:
- InvoiceDetail: sanitize notes HTML with DOMPurify
- OrderDetail: use proper DOMPurify import instead of window fallback

Important:
- AttendanceBalances: add fund_to_date to interface, remove as-any casts
- All schemas: replace z.any() with z.preprocess for boolean fields
- Routes: simplify boolean coercion (Zod handles it now)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
BOHA
2026-03-24 20:13:20 +01:00
parent 3c167cf5c4
commit 106606f3fa
17 changed files with 63 additions and 46 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/schemas/invoices.schema.ts
View File

@@ -41,7 +41,7 @@ export const CreateInvoiceSchema = z.object({
.transform((v) => Number(v))
.optional()
.default(21.0),
apply_vat: z.any().optional().default(true),
apply_vat: z.preprocess(v => v === true || v === 1 || v === "1", z.boolean()).optional().default(true),
payment_method: z.string().nullish(),
constant_symbol: z.string().nullish(),
bank_name: z.string().nullish(),
@@ -73,7 +73,7 @@ export const UpdateInvoiceSchema = z.object({
.union([z.number(), z.string()])
.transform((v) => Number(v))
.optional(),
apply_vat: z.any().optional(),
apply_vat: z.preprocess(v => v === true || v === 1 || v === "1", z.boolean()).optional(),
issue_date: z.union([z.string(), z.null()]).optional(),
due_date: z.union([z.string(), z.null()]).optional(),
tax_date: z.union([z.string(), z.null()]).optional(),