fix(svg): sanitize border and labelColor attributes to prevent XSS

[diksha78dev]

Description

Fixes #6159

This PR addresses an SVG injection (XSS) vulnerability by applying strict hex color sanitization to the labelColor and border query parameters in the SVG generator. These parameters were previously interpolated directly into the SVG template without validation.

• Wrapped params.labelColor with sanitizeHexColor using the theme's base color as a secure fallback.
• Wrapped all params.border occurrences with sanitizeHexColor using #000000 as a secure fallback.
• Ensures malformed colors or malicious HTML payloads fall back gracefully without breaking the SVG or allowing script execution.

Pillar

• 🎨 Pillar 1 — New Theme Design
• 📐 Pillar 2 — Geometric SVG Improvement
• 🕐 Pillar 3 — Timezone Logic Optimization
• 🛠️ Other (Bug fix, refactoring, docs)

Visual Preview

N/A — Security fix. No visual changes under normal usage. Malformed or malicious inputs now gracefully fallback to safe default colors.

Checklist before requesting a review:

• I have read the CONTRIBUTING.md file.
• I have tested these changes locally (localhost:3000/api/streak?user=YOUR_USERNAME).
• I have run npm run format and npm run lint locally and resolved all errors (CI will fail otherwise).
• My commits follow the Conventional Commits format (e.g., feat(themes): ..., fix(calculate): ...).
• I have updated README.md if I added a new theme or URL parameter.
• I have started the repo.
• I have made sure that i have only one commit to merge in this PR.
• The SVG output matches the CommitPulse "premium quality" aesthetic standard (no raw elements, smooth animations, correct fonts).
• (Recommended) I joined the CommitPulse Discord community for contributor discussions, mentorship, and faster PR support.

[github-actions]

📦 Next.js Bundle Size Report (Gzipped Sizes)

✨ No significant bundle size changes detected.

📊 Summary of Totals

Category	PR Size	Base Size	Difference
Total JS	3697.00 KB	3697.00 KB	0 B
Total CSS	296.58 KB	296.58 KB	0 B

[Aamod-Dev]

Thank you for finding and patching this! Unsanitized interpolation of query parameters into SVGs is a classic vector for XSS. Applying sanitizeHexColor to border and labelColor in lib/svg/generator.ts effectively closes this vulnerability. Approved!

[github-actions]

🎉 Congratulations @diksha78dev! Your PR has been successfully merged. 🚀

Thank you for contributing to CommitPulse. Your work helps us build a better tool for the community.

⚠️ Important for GSSoC Contributors:
You are strictly advised to join our Discord Server as it is mandatory for all GSSoC participants. All important announcements, point claims, and community discussions happen there.

Keep building! 💻✨