10 Descriptive message about your chansssges

webapp/src/app/api/user/actions/settings/route.ts

@@ -53,8 +53,29 @@ export async function PUT(req:Request)
         phone : string | null = payload.phone as string | null,
         address : string | null = payload.address as string | null,
         showLogo : boolean | null = payload.showLogo as boolean | null,
-        logo : string | null = payload.logo as string | null,
         currencySymbol : string | null = payload.currencySymbol as string | null;
+        let logo : string | null = payload.logo as string | null;
+        
+        // Validate logo if provided
+        if (logo && typeof logo === 'string') {
+            // Check if it's a valid SVG
+            if (!logo.includes('<svg') || !logo.includes('</svg>')) {
+                return NextResponse.json({
+                    success: false,
+                    message: "invalidSVGFile",
+                }, {
+                    status: 400,
+                    headers: {
+                        "content-type": "application/json"
+                    }
+                })
+            }
+            
+            // Remove any script tags for security
+             const cleanLogo = logo.replace(/<script[^>]*>.*?<\/script>/gi, '');
+             // Update the logo variable with cleaned content
+             logo = cleanLogo;
+         }
         // update the doc
         let updated_doc = await userModel.updateMany({} , {
             $set: {

webapp/src/components/dashboard/settings/generalSettings.tsx

@@ -58,13 +58,32 @@ export default function GeneralSettings()
     const handleFileChange = async (event : any , setFieldValue : any) => {
       const file = event.target.files[0];
       if (file) {
+        // Validate file type
+        if (!file.type.includes('svg') && !file.name.toLowerCase().endsWith('.svg')) {
+          alert(t('onlySVGFilesAllowed') || 'Only SVG files are allowed');
+          event.target.value = ''; // Clear the input
+          return;
+        }
+        
         try {
           // get the file content
-          const content = await readFile(file);
+          const content = await readFile(file) as string;
+          
+          // Validate SVG content
+          if (!content.includes('<svg') || !content.includes('</svg>')) {
+            alert(t('invalidSVGFile') || 'Invalid SVG file format');
+            event.target.value = ''; // Clear the input
+            return;
+          }
+          
+          // Additional security check - remove any script tags
+          const cleanContent = content.replace(/<script[^>]*>.*?<\/script>/gi, '');
+          
           // set the field value with with new file content
-          setFieldValue('logo' , content)
+          setFieldValue('logo' , cleanContent)
         } catch (error) {
           console.error('Error reading file:', error);
+          alert(t('errorReadingFile') || 'Error reading file');
         }
       }
     };

webapp/src/messages/ar.json

@@ -364,7 +364,10 @@
     "edite": "التعديل",
     "save": "الحفظ",
     "ignore": "تجاهل",
-    "appNameEN": "اسم التطبيق ( en )"
+    "appNameEN": "اسم التطبيق ( en )",
+    "onlySVGFilesAllowed": "يُسمح فقط بملفات SVG",
+    "invalidSVGFile": "تنسيق ملف SVG غير صالح",
+    "errorReadingFile": "خطأ في قراءة الملف"
   },
   "statistics": {
     "totalMembers": "إجمالي الأعضاء",

webapp/src/messages/en.json

@@ -368,7 +368,10 @@
     "loading": "Loading",
     "edite": "Edite",
     "save": "Save",
-    "ignore": "Ignore"
+    "ignore": "Ignore",
+    "onlySVGFilesAllowed": "Only SVG files are allowed",
+    "invalidSVGFile": "Invalid SVG file format",
+    "errorReadingFile": "Error reading file"
   },
   "statistics": {
     "totalMembers": "Total Members",