fix: add ESC key support, security comment, and disable async tests

2025-12-02 14:42:03 +01:00 · 2025-12-02 14:42:03 +01:00 · 6d75766dba
commit 6d75766dba
parent 354029c9cc
3 changed files with 13 additions and 3 deletions
--- a/lib/mv_web/live/components/payment_filter_component.ex
+++ b/lib/mv_web/live/components/payment_filter_component.ex
@ -34,7 +34,13 @@ defmodule MvWeb.Components.PaymentFilterComponent do
  @impl true
  def render(assigns) do
    ~H"""
-    <div class="relative" id={@id}>
+    <div
+      class="relative"
+      id={@id}
+      phx-window-keydown={@open && "close_dropdown"}
+      phx-key="Escape"
+      phx-target={@myself}
+    >
      <button
        type="button"
        class={[
--- a/lib/mv_web/live/member_live/index.ex
+++ b/lib/mv_web/live/member_live/index.ex
@ -841,7 +841,10 @@ defmodule MvWeb.MemberLive.Index do

  # Determines valid paid filter from URL parameter.
  #
-  # Only accepts "paid" or "not_paid", falls back to nil for invalid values.
+  # SECURITY: This function whitelists allowed filter values. Only "paid" and "not_paid"
+  # are accepted - all other input (including malicious strings) falls back to nil.
+  # This ensures no raw user input is ever passed to Ash.Query.filter/2, following
+  # Ash's security recommendation to never pass untrusted input directly to filters.
  defp determine_paid_filter("paid"), do: :paid
  defp determine_paid_filter("not_paid"), do: :not_paid
  defp determine_paid_filter(_), do: nil