update

Backend/src/rooms/routes/advanced_room_routes.py

@@ -9,6 +9,7 @@ import hashlib
 from ...shared.config.database import get_db
 from ...shared.config.logging_config import get_logger
 from ...security.middleware.auth import get_current_user, authorize_roles
+from ...shared.utils.sanitization import sanitize_text
 from ...auth.models.user import User
 from ...auth.models.role import Role
 from ..models.room import Room, RoomStatus
@@ -246,12 +247,17 @@ async def create_maintenance_record(
         if maintenance_data.get('block_end'):
             block_end = datetime.fromisoformat(maintenance_data['block_end'].replace('Z', '+00:00'))
         
+        # Sanitize user input
+        sanitized_title = sanitize_text(maintenance_data.get('title', 'Maintenance'))
+        sanitized_description = sanitize_text(maintenance_data.get('description')) if maintenance_data.get('description') else None
+        sanitized_notes = sanitize_text(maintenance_data.get('notes')) if maintenance_data.get('notes') else None
+        
         maintenance = RoomMaintenance(
             room_id=maintenance_data['room_id'],
             maintenance_type=MaintenanceType(maintenance_data.get('maintenance_type', 'preventive')),
             status=MaintenanceStatus(maintenance_data.get('status', 'scheduled')),
-            title=maintenance_data.get('title', 'Maintenance'),
-            description=maintenance_data.get('description'),
+            title=sanitized_title,
+            description=sanitized_description,
             scheduled_start=scheduled_start,
             scheduled_end=scheduled_end,
             assigned_to=maintenance_data.get('assigned_to'),
@@ -261,7 +267,7 @@ async def create_maintenance_record(
             block_start=block_start,
             block_end=block_end,
             priority=maintenance_data.get('priority', 'medium'),
-            notes=maintenance_data.get('notes')
+            notes=sanitized_notes
         )
         
         # Update room status if blocking and maintenance is active
@@ -362,7 +368,7 @@ async def update_maintenance_record(
         if 'actual_end' in maintenance_data:
             maintenance.actual_end = datetime.fromisoformat(maintenance_data['actual_end'].replace('Z', '+00:00'))
         if 'completion_notes' in maintenance_data:
-            maintenance.completion_notes = maintenance_data['completion_notes']
+            maintenance.completion_notes = sanitize_text(maintenance_data['completion_notes']) if maintenance_data['completion_notes'] else None
         if 'actual_cost' in maintenance_data:
             maintenance.actual_cost = maintenance_data['actual_cost']
         
@@ -604,6 +610,9 @@ async def create_housekeeping_task(
         if is_housekeeping and not assigned_to:
             assigned_to = current_user.id
         
+        # Sanitize user input
+        sanitized_notes = sanitize_text(task_data.get('notes')) if task_data.get('notes') else None
+        
         task = HousekeepingTask(
             room_id=task_data['room_id'],
             booking_id=task_data.get('booking_id'),
@@ -613,7 +622,7 @@ async def create_housekeeping_task(
             assigned_to=assigned_to,
             created_by=current_user.id,
             checklist_items=task_data.get('checklist_items', []),
-            notes=task_data.get('notes'),
+            notes=sanitized_notes,
             estimated_duration_minutes=task_data.get('estimated_duration_minutes')
         )
         
@@ -774,16 +783,16 @@ async def update_housekeeping_task(
         if 'checklist_items' in task_data:
             task.checklist_items = task_data['checklist_items']
         if 'notes' in task_data:
-            task.notes = task_data['notes']
+            task.notes = sanitize_text(task_data['notes']) if task_data['notes'] else None
         if 'issues_found' in task_data:
-            task.issues_found = task_data['issues_found']
+            task.issues_found = sanitize_text(task_data['issues_found']) if task_data['issues_found'] else None
         if 'quality_score' in task_data:
             task.quality_score = task_data['quality_score']
         if 'inspected_by' in task_data:
             task.inspected_by = task_data['inspected_by']
             task.inspected_at = datetime.utcnow()
         if 'inspection_notes' in task_data:
-            task.inspection_notes = task_data['inspection_notes']
+            task.inspection_notes = sanitize_text(task_data['inspection_notes']) if task_data['inspection_notes'] else None
         if 'photos' in task_data:
             task.photos = task_data['photos']
         
@@ -930,11 +939,11 @@ async def report_maintenance_issue_from_task(
         if not room:
             raise HTTPException(status_code=404, detail='Room not found')
         
-        # Create maintenance record
-        title = issue_data.get('title', f'Issue reported from Room {room.room_number}')
-        description = issue_data.get('description', '')
+        # Create maintenance record - sanitize user input
+        title = sanitize_text(issue_data.get('title', f'Issue reported from Room {room.room_number}'))
+        description = sanitize_text(issue_data.get('description', ''))
         if task.notes:
-            description = f"Reported from housekeeping task.\n\nTask Notes: {task.notes}\n\nIssue Description: {description}".strip()
+            description = f"Reported from housekeeping task.\n\nTask Notes: {sanitize_text(task.notes)}\n\nIssue Description: {description}".strip()
         else:
             description = f"Reported from housekeeping task.\n\nIssue Description: {description}".strip()
         
@@ -949,7 +958,7 @@ async def report_maintenance_issue_from_task(
             reported_by=current_user.id,
             priority=issue_data.get('priority', 'high'),
             blocks_room=issue_data.get('blocks_room', True),
-            notes=issue_data.get('notes', f'Reported from housekeeping task #{task_id}')
+            notes=sanitize_text(issue_data.get('notes', f'Reported from housekeeping task #{task_id}'))
         )
         
         # Update room status if blocking
@@ -1168,15 +1177,15 @@ async def update_room_inspection(
         if 'overall_score' in inspection_data:
             inspection.overall_score = inspection_data['overall_score']
         if 'overall_notes' in inspection_data:
-            inspection.overall_notes = inspection_data['overall_notes']
+            inspection.overall_notes = sanitize_text(inspection_data['overall_notes']) if inspection_data['overall_notes'] else None
         if 'issues_found' in inspection_data:
-            inspection.issues_found = inspection_data['issues_found']
+            inspection.issues_found = sanitize_text(inspection_data['issues_found']) if inspection_data['issues_found'] else None
         if 'photos' in inspection_data:
             inspection.photos = inspection_data['photos']
         if 'requires_followup' in inspection_data:
             inspection.requires_followup = inspection_data['requires_followup']
         if 'followup_notes' in inspection_data:
-            inspection.followup_notes = inspection_data['followup_notes']
+            inspection.followup_notes = sanitize_text(inspection_data['followup_notes']) if inspection_data['followup_notes'] else None
         if 'maintenance_request_id' in inspection_data:
             inspection.maintenance_request_id = inspection_data['maintenance_request_id']