Add notification email provider HTML/text injection and header-sanitization tests in src/tests/email.injection.test.ts

[1nonlypiece]

📌 Description

src/services/notifications/email.provider.ts composes outbound email. If
user-controlled fields (vault title, org name) flow into headers or HTML bodies
unsanitized, the system is exposed to header injection (CRLF) and HTML/script
injection. Existing provider tests do not cover injection.

This issue adds header- and content-injection sanitization tests for the email
provider.

Goal: prove user-controlled email fields cannot inject headers or unsafe
HTML into outbound mail.

🎯 Requirements and Context

• Must assert CRLF in subject/recipient is stripped/rejected.
• Must assert HTML in dynamic fields is escaped in the HTML body.
• Must cover a benign field rendering correctly.
• Must run with bun test.

🛠️ Suggested Execution

1. Fork the repo and create a branch

git checkout -b test/email-injection-guards

2. Implement changes

• Add src/tests/email.injection.test.ts; add minimal sanitization in
  email.provider.ts if missing.

3. Test and commit

• Run with bun test.
• Cover edge cases: CRLF header, HTML body, script tag, benign content.

Example commit message

test: email provider header and HTML injection guards

✅ Guidelines

• Minimum 95% test coverage on the new/changed lines.
• Clear, reviewer-friendly documentation.
• No regressions on existing email delivery.
• Timeframe: 96 hours.

🏷️ Labels

type-testing · type-security · area-backend · MAYBE REWARDED · GRANTFOX OSS · OFFICIAL CAMPAIGN

💬 Community & Support

• Join the Disciplr contributor Discord to coordinate, ask questions, and get
  unblocked fast: https://discord.gg/xvNAvMJf
• Please introduce yourself in the channel before you start so we can avoid
  duplicate work, pair you with a reviewer, and get your PR merged quickly.
• Maintainers actively triage this channel and aim for fast, clear, respectful
  reviews — reach out any time you're blocked.

[wonderfulmarv01]

@wonderfulmarv01 has applied to work on this issue as part of the Stellar Wave Program's 6th wave.

i will like to work on this please

ℹ️ Repo Maintainers: To accept this application, review their application or assign @wonderfulmarv01 to this issue.

[drips-wave]

Congratulations, @wonderfulmarv01! 🎉 Your application was accepted by the repo's maintainers, and the issue is due on June 30, 2026.

🧑‍💻 @wonderfulmarv01: Please resolve the issue such that the repo's maintainers have enough time to review your contribution before the due date. You'll earn Points for completing the issue on-time, which will make you eligible for a share of the Stellar Wave Program's reward pool.

Warning

When opening a PR, please link it to this issue to ensure it gets tracked accurately. Points are awarded when this issue is marked as completed by the maintainer.

🤠 Repo maintainers: Please keep an eye on the contributor's progress and review their work before the due date. You can manage this issue, including adjusting its complexity and points, here.

🌊 Happy Wave 🌊