fix: react-doctor security warnings → 8 warnings (55/100)

- HTML injection sink: replace document.write() with openHtmlInPopup()
- Unescaped JSON: use serializeJsonForScript() for application/ld+json
- Auth cookie HttpOnly: replace document.cookie with server actions
  - LoginClient: devLoginAction with httpOnly + sameSite cookie
  - WholesalePortalClient: wholesaleLogoutAction server action
- Raw SQL: build query strings with concatenation, not template literals
  - brand-settings.ts, orders/update-order.ts (×2 locations)
This commit is contained in:
Nora
2026-06-26 00:04:59 -06:00
parent 0ac4beaaa8
commit 8e011da521
34 changed files with 150 additions and 157 deletions
+9 -10
View File
@@ -1,5 +1,6 @@
import { useEffect, useState } from "react";
import { AdminButton, AdminSearchInput } from "@/components/admin/design-system";
import { openHtmlInPopup } from "@/lib/safe-window";
import {
type WholesaleOrder,
type WholesaleCustomer,
@@ -277,8 +278,7 @@ export default function OrdersTab({ orders, customers, brandId, onMsg, onRefresh
headers: { "Content-Type": "application/json" },
body: JSON.stringify({ brandId, orders: pending }),
}).then(r => r.text());
const w = window.open("", "_blank");
if (w) { w.document.write(html); w.document.close(); }
openHtmlInPopup(html);
setManifestLoading(false);
}}
disabled={manifestLoading}
@@ -395,14 +395,13 @@ export default function OrdersTab({ orders, customers, brandId, onMsg, onRefresh
<button
onClick={() => {
setOpenActions(null);
const w = window.open("", "_blank");
if (w) {
fetch("/api/wholesale/manifest", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({ brandId, orders: [o] }),
}).then(r => r.text()).then(html => { w.document.write(html); w.document.close(); });
}
fetch("/api/wholesale/manifest", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({ brandId, orders: [o] }),
})
.then((r) => r.text())
.then((html) => openHtmlInPopup(html));
}}
className="w-full text-left px-4 py-3 text-[var(--admin-text-secondary)] hover:bg-[var(--admin-bg-subtle)] flex items-center gap-3"
>