BillTracker/docs
null c31d8cbe9e fix(qa): escape bill name in reminder email HTML — XSS via bill name (B14-04)
- notificationService buildEmailHtml: the message line interpolated bill.name
  raw (`<strong>${bill.name}</strong> is due…`) while the detail table escaped
  it; a `<img src=x onerror=…>` name landed unescaped in the email HTML. Now
  escaped everywhere. (self-XSS — reminders go to the bill's owner — but a clear
  inconsistent-escaping defect)
- expose buildEmailHtml via _email; add an escaping test across all 4 email types
- docs: archive QA-B14-04

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-02 22:18:05 -05:00
..
images docs: update user-guide index with recent features (bank status, notifications, cash flow, batch import, merchant rules) 2026-06-04 03:14:54 -05:00
Authentik-Integration.md push 2026-05-09 13:03:36 -05:00
CSRF-SPA-Setup.md v0.28.0 2026-05-15 22:45:38 -05:00
Engineering_Reference_Manual.md chore(cleanup): remove legacy/public HTML files, retire /legacy route, update docs and About page 2026-06-11 23:50:27 -05:00
Engineering_Reference_promp.md push 2026-05-09 13:03:36 -05:00
QA_PLAN.md fix(qa): escape bill name in reminder email HTML — XSS via bill name (B14-04) 2026-07-02 22:18:05 -05:00
RATE_LIMITING_ENHANCEMENT.md push 2026-05-09 13:03:36 -05:00
ROADMAP_REDESIGN_PLAN.md v0.28.0 2026-05-15 22:45:38 -05:00
ROADMAP_UI_AUDIT.md v0.25.0: roadmap redesign, import CSRF fix, AdminDashboard removed 2026-05-11 21:42:36 -05:00
UI_IMPROVEMENTS.md push 2026-05-09 13:03:36 -05:00
advisory_non_bill_transaction_filters_us_ms_5000.json feat: advisory non-bill transaction filter system (batch 0.33.8.0) 2026-05-29 18:06:12 -05:00
cents-migration-plan.md feat(money): migrate services to cent-exact money.js helpers (batch 0.38.3) 2026-06-10 20:14:13 -05:00
merchant_store_match_us_nems_online_5k_v0_2.json feat(banking): bank transactions page with merchant/store matching, transaction matching refactor, bank sync improvements (batch 0.40.0) 2026-06-14 15:15:31 -05:00
top_200_us_subscriptions.csv chore: bump to v0.34.1.1, Claude.ai catalog seed, subscription fixes 2026-05-30 17:57:34 -05:00
top_200_us_subscriptions_researched_2026-06-06.json feat(subscriptions): simplified SubscriptionsPage, inline actions, improved matching card, Service Catalog route 2026-06-06 22:09:34 -05:00