Matt
94cbfec70a
- Add escapeHtml() helper and apply to all user-supplied variables in 20+ HTML email templates - Auto-escape in sectionTitle() and statCard() helpers for defense-in-depth - Replace 5 instances of incomplete manual escaping with escapeHtml() - Refactor bulkInviteTeamMembers: batch all DB writes in $transaction, then send emails via Promise.allSettled with concurrency pool of 10 - Fix inner catch block in award-eligibility-job.ts to capture its own error variable Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>