BillTracker/tests
null c31d8cbe9e fix(qa): escape bill name in reminder email HTML — XSS via bill name (B14-04)
- notificationService buildEmailHtml: the message line interpolated bill.name
  raw (`<strong>${bill.name}</strong> is due…`) while the detail table escaped
  it; a `<img src=x onerror=…>` name landed unescaped in the email HTML. Now
  escaped everywhere. (self-XSS — reminders go to the bill's owner — but a clear
  inconsistent-escaping defect)
- expose buildEmailHtml via _email; add an escaping test across all 4 email types
- docs: archive QA-B14-04

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-02 22:18:05 -05:00
..
backupAndCleanup.test.js feat: Payoff Custom mode, Summary reordering, unifed billing schedule, SimpleFIN + backup fixes (batch v0.34.1.3) 2026-05-30 21:20:51 -05:00
bankSyncService.test.js fix(bank-sync): transaction matching, services, and worker updates 2026-06-07 20:07:27 -05:00
billReorder.test.js feat(money): cents migration stage 2 — schema flip to integer cents (batch 0.38.4) 2026-06-11 20:12:31 -05:00
billsService.test.js feat: Payoff Custom mode, Summary reordering, unifed billing schedule, SimpleFIN + backup fixes (batch v0.34.1.3) 2026-05-30 21:20:51 -05:00
calendarFeedService.test.js feat(money): cents migration stage 2 — schema flip to integer cents (batch 0.38.4) 2026-06-11 20:12:31 -05:00
categoryGroups.test.js feat(spending): category groups, YNAB-style spending page overhaul, 3-month averages, cover overspending (batch 0.41.0) 2026-06-14 19:21:34 -05:00
categoryReorder.test.js feat: reordering across management pages (Bills, Subscriptions, Categories, Snowball) — batch v0.34.1.2 2026-05-30 20:04:50 -05:00
csvTransactionImportService.test.js v0.28.01 2026-05-16 20:26:09 -05:00
money.test.js fix(qa): cent-exact toCents rounding + money.js test coverage 2026-07-02 21:11:12 -05:00
notificationDelivery.test.js fix(qa): escape bill name in reminder email HTML — XSS via bill name (B14-04) 2026-07-02 22:18:05 -05:00
profileRoute.test.js feat: profile settings UI, auth service refactor, schema migration, route tests 2026-06-07 01:17:49 -05:00
safeToSpend.test.js feat(cashflow): safe-to-spend projection with timeline, vitest setup, package upgrades 2026-06-12 01:32:28 -05:00
spendingSummary.test.js feat(spending): category groups, YNAB-style spending page overhaul, 3-month averages, cover overspending (batch 0.41.0) 2026-06-14 19:21:34 -05:00
statusService.test.js feat(money): cents migration stage 2 — schema flip to integer cents (batch 0.38.4) 2026-06-11 20:12:31 -05:00
subscriptionService.test.js feat(money): cents migration stage 2 — schema flip to integer cents (batch 0.38.4) 2026-06-11 20:12:31 -05:00
summaryBankTracking.test.js fix(qa): bank-tracking unpaid_this_month gates by occurrence (QA-B5-02) 2026-07-02 21:41:33 -05:00
summarySkipOverride.test.js test(qa): summary skip-exclusion + per-month override regression (B2/B5) 2026-07-02 21:56:46 -05:00
transactionMatchService.test.js feat(money): cents migration stage 2 — schema flip to integer cents (batch 0.38.4) 2026-06-11 20:12:31 -05:00