Enhance content sanitization across various components by integrating 'dompurify' for improved security and update package dependencies in package.json and package-lock.json.

server/api/spielplan/download/[filename].get.js

@@ -36,6 +36,15 @@ export default defineEventHandler(async (event) => {
       })
     }
     
+    // Zusätzliche Path-Traversal-Prüfung
+    const sanitizedFilename = path.basename(path.normalize(filename))
+    if (sanitizedFilename !== filename || sanitizedFilename.includes('..')) {
+      throw createError({
+        statusCode: 400,
+        statusMessage: 'Ungültiger Dateiname'
+      })
+    }
+    
     let filePath
     
     if (isDynamicMannschaft) {
@@ -44,7 +53,7 @@ export default defineEventHandler(async (event) => {
       filePath = path.join(process.cwd(), 'public', 'documents', 'spielplaene', 'spielplan_gesamt.pdf')
     } else {
       // Für vordefinierte PDFs
-      filePath = path.join(process.cwd(), 'public', 'documents', 'spielplaene', filename)
+      filePath = path.join(process.cwd(), 'public', 'documents', 'spielplaene', sanitizedFilename)
     }
     
     // Prüfe ob Datei existiert

server/api/spielplan/pdf.get.js

@@ -359,6 +359,8 @@ ${hallenListe.map(halle => {
       // Verzeichnis existiert bereits
     }
     
+    // nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal
+    // team is validated against allowlist, Date.now() is safe, path traversal prevented
     const tempTexFile = path.join(tempDir, `spielplan_${team}_${Date.now()}.tex`)
     await fs.writeFile(tempTexFile, latexContent, 'utf-8')