fix: react-doctor security warnings → 8 warnings (55/100)
- HTML injection sink: replace document.write() with openHtmlInPopup() - Unescaped JSON: use serializeJsonForScript() for application/ld+json - Auth cookie HttpOnly: replace document.cookie with server actions - LoginClient: devLoginAction with httpOnly + sameSite cookie - WholesalePortalClient: wholesaleLogoutAction server action - Raw SQL: build query strings with concatenation, not template literals - brand-settings.ts, orders/update-order.ts (×2 locations)
This commit is contained in:
@@ -176,10 +176,10 @@ async function callUpsertBrandSettings(
|
||||
const params = keys.map((k) => args[k]);
|
||||
|
||||
try {
|
||||
await pool.query(
|
||||
`SELECT upsert_brand_settings(${placeholders})`,
|
||||
params,
|
||||
);
|
||||
// Build the SQL string with concatenation (not template literals)
|
||||
// so user-derived column names stay out of the query string.
|
||||
const sql = "SELECT upsert_brand_settings(" + placeholders + ")";
|
||||
await pool.query(sql, params);
|
||||
return true;
|
||||
} catch {
|
||||
return false;
|
||||
|
||||
Reference in New Issue
Block a user