Fix security vulnerabilities in fromName field handling

- Add sanitizeDisplayName() method to prevent header injection attacks
- Remove newlines, carriage returns, and control characters from display names
- Fix quote escaping inconsistency between getDefaultFrom() and processEmailItem()
- Create formatEmailAddress() helper method for consistent email formatting
- Add fromName sanitization in sendEmail() function for input validation
- Prevent malformed email headers and potential security issues

Security improvements:
- Header injection prevention (removes \r\n and control characters)
- Consistent quote escaping across all display name usage
- Proper sanitization at both input and output stages

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

src/sendEmail.ts

@@ -100,6 +100,17 @@ export const sendEmail = async <TEmail extends BaseEmailDocument = BaseEmailDocu
     emailData.from = validated && validated.length > 0 ? validated[0] : undefined
   }
 
+  // Sanitize fromName to prevent header injection
+  if (emailData.fromName && emailData.fromName !== null) {
+    emailData.fromName = emailData.fromName
+      .trim()
+      // Remove/replace newlines and carriage returns to prevent header injection
+      .replace(/[\r\n]/g, ' ')
+      // Remove control characters (except space and printable characters)
+      .replace(/[\x00-\x1F\x7F-\x9F]/g, '')
+      // Note: We don't escape quotes here as that's handled in MailingService
+  }
+
   // Normalize Date objects to ISO strings for consistent database storage
   if (emailData.scheduledAt instanceof Date) {
     emailData.scheduledAt = emailData.scheduledAt.toISOString()