fix: sanitize username input in generateNotFoundSVG to prevent SVG in…

[taniy8]

Description

Fixes #5297

Sanitizes the username parameter in generateNotFoundSVG before passing it
to escapeXML(). Previously, if a raw error message string containing XML-special
characters (<, >, ", &) was passed as the username, it could produce
malformed SVG output in the <title> element.

Root Cause

The trust boundary was wrong — the caller extracts username from a raw error
message string using a regex, not from validated schema output.

Fix

Added a GitHub username allowlist filter at the rendering boundary:

• Strips all characters not valid in a GitHub username ([^a-zA-Z0-9\-])
• Caps length at 39 characters (GitHub's maximum)
• Falls back to 'unknown' if no valid characters remain

Before / After

• Before: User not found — <SCRIPT>ALERT(1)</SCRIPT>
• After: User not found — SCRIPTALERT1SCRIPT

Pillar

• 🎨 Pillar 1 — New Theme Design
• 📐 Pillar 2 — Geometric SVG Improvement
• 🕐 Pillar 3 — Timezone Logic Optimization
• 🛠️ Other (Bug fix, refactoring, docs)

Visual Preview

N/A

Checklist before requesting a review:

• I have read the CONTRIBUTING.md file.
• I have tested these changes locally (localhost:3000/api/streak?user=YOUR_USERNAME).
• I have run npm run format and npm run lint locally and resolved all errors (CI will fail otherwise).
• My commits follow the Conventional Commits format (e.g., feat(themes): ..., fix(calculate): ...).
• I have updated README.md if I added a new theme or URL parameter.
• I have started the repo.
• I have made sure that i have only one commit to merge in this PR.
• The SVG output matches the CommitPulse "premium quality" aesthetic standard (no raw elements, smooth animations, correct fonts).
• (Recommended) I joined the CommitPulse Discord community for contributor discussions, mentorship, and faster PR support.

[vercel]

@taniy8 is attempting to deploy a commit to the jhasourav07's projects Team on Vercel.

A member of the Team first needs to authorize it.

[github-actions]

🚨 Hey @taniy8, the CI Pipeline is failing on this PR and it has been marked as status:blocked.

Please fix the issues before this can be reviewed. Here's how:

1. Run checks locally before pushing:

npm run format:check   # Check Prettier formatting
npm run lint           # Run ESLint
npm run typecheck      # TypeScript type check
npm run test           # Run unit tests (Vitest)
npm run build          # Verify production build passes

2. Auto-fix common issues:

npm run format         # Auto-fix formatting with Prettier
npm run lint -- --fix  # Auto-fix lint errors where possible

3. Check the full failure log here:
👉 View CI Run

Once you push a fix and the CI passes, the status:blocked label will be removed automatically. 💪

[Aamod-Dev]

Thanks for the contribution. I've taken a look at the changes and everything seems to align with what we need here.

The changes are straightforward and don't seem to introduce any regressions. The implementation follows the established patterns nicely.

No concerns from my end. Approved.

[Aamod-Dev]

Appreciate you taking the time to submit this PR. I went through the implementation and the approach looks solid.

No concerns from my end. Approved.

[Aamod-Dev]

Thanks for the contribution. I went through the changes and everything looks solid. The code is readable, well-structured, and aligns with the project conventions.

I'll go ahead and approve this PR. Thanks again for the contribution!

[github-actions]

🎉 Congratulations @taniy8! Your PR has been successfully merged. 🚀

Thank you for contributing to CommitPulse. Your work helps us build a better tool for the community.

⚠️ Important for GSSoC Contributors:
You are strictly advised to join our Discord Server as it is mandatory for all GSSoC participants. All important announcements, point claims, and community discussions happen there.

Keep building! 💻✨