test(lesereisen): TDD red — tighten factories, add journey/selector/ssr tests

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

frontend/src/lib/geschichte/GeschichtenCard.svelte.spec.ts

@@ -121,6 +121,16 @@ describe('GeschichtenCard', () => {
 		expect(link.getAttribute('href')).toBe('/geschichten?personId=p1');
 	});
 
+	it('JOURNEY type does not bleed a REISE badge into the person-sidebar card', async () => {
+		render(GeschichtenCard, {
+			geschichten: [{ ...makeStory('g1', 'Reise Berlin'), type: 'JOURNEY' as const }],
+			personId: 'p1',
+			personName: 'Franz',
+			canWrite: false
+		});
+		expect(document.querySelector('[data-testid="journey-badge"]')).toBeNull();
+	});
+
 	it('renders a plain-text excerpt without HTML markup', async () => {
 		render(GeschichtenCard, {
 			geschichten: [

frontend/src/lib/shared/utils/extractText.spec.ts

@@ -48,6 +48,18 @@ describe('extractText', () => {
 	});
 });
 
+// SSR regex-fallback XSS gate — must stay in the Node (.test.ts / .spec.ts) project.
+// The browser project's DOMParser would silently take the safe branch → false green.
+// This test fires the regex fallback specifically (Node has no DOMParser).
+describe('plainExcerpt — SSR regex-fallback XSS gate (Node tier)', () => {
+	it('does not emit onerror= in output when given an <img onerror> payload (security regression)', () => {
+		// plainExcerpt calls extractText which regex-strips tags in Node (no DOMParser).
+		// SvelteKit SSR auto-escapes the result, so onerror= in output is the first-paint risk.
+		const out = plainExcerpt('<img src=x onerror="window.__xss=1">');
+		expect(out).not.toContain('onerror=');
+	});
+});
+
 describe('plainExcerpt', () => {
 	it('returns full text when under the limit', () => {
 		expect(plainExcerpt('<p>short</p>', 80)).toBe('short');