From 607d19a7591533fe3daef3c0ed8a6dbff04094e3 Mon Sep 17 00:00:00 2001
From: Matt Gros <3311227+mpge@users.noreply.github.com>
Date: Sun, 15 Feb 2026 18:23:41 -0500
Subject: [PATCH 1/5] fix: sanitize HTML with DOMPurify to prevent stored XSS

- Add DOMPurify sanitization to ReplyThread.vue and PinnedNotes.vue
- All v-html rendered content is now sanitized before rendering
- Closes stored XSS vector from inbound email bodies and user-submitted HTML
---
 package.json                   | 14 ++++++++++----
 src/components/PinnedNotes.vue | 14 +++++++++++---
 src/components/ReplyThread.vue | 20 ++++++++++++++------
 3 files changed, 35 insertions(+), 13 deletions(-)

diff --git a/package.json b/package.json
index e831891..8a6b21f 100644
--- a/package.json
+++ b/package.json
@@ -21,24 +21,30 @@
   "exports": {
     "./components/*": "./src/components/*",
     "./pages/*": "./src/pages/*",
+    "./locales": "./src/locales/index.js",
+    "./locales/*": "./src/locales/*",
     ".": "./src/index.js"
   },
   "files": [
     "src"
   ],
   "peerDependencies": {
-    "vue": "^3.3.0",
-    "@inertiajs/vue3": "^1.0.0 || ^2.0.0"
+    "@inertiajs/vue3": "^1.0.0 || ^2.0.0",
+    "vue": "^3.3.0"
   },
   "scripts": {
     "test": "vitest run"
   },
   "devDependencies": {
-    "vue": "^3.5.0",
     "@inertiajs/vue3": "^2.0.0",
+    "@types/dompurify": "^3.0.5",
     "@vitejs/plugin-vue": "^5.0.0",
     "@vue/test-utils": "^2.4.0",
     "happy-dom": "^15.0.0",
-    "vitest": "^2.0.0"
+    "vitest": "^2.0.0",
+    "vue": "^3.5.0"
+  },
+  "dependencies": {
+    "dompurify": "^3.3.1"
   }
 }
diff --git a/src/components/PinnedNotes.vue b/src/components/PinnedNotes.vue
index 1bcaf6a..fdb19d2 100644
--- a/src/components/PinnedNotes.vue
+++ b/src/components/PinnedNotes.vue
@@ -1,6 +1,13 @@
 <script setup>
 import { ref, computed, inject } from 'vue';
 import { router } from '@inertiajs/vue3';
+import DOMPurify from 'dompurify';
+import { useI18n } from '../composables/useI18n';
+
+function sanitizeHtml(html) {
+    if (!html) return '';
+    return DOMPurify.sanitize(html);
+}
 
 const props = defineProps({
     notes: { type: Array, default: () => [] },
@@ -9,6 +16,7 @@ const props = defineProps({
 });
 
 const escDark = inject('esc-dark', computed(() => false));
+const { t } = useI18n();
 const processingId = ref(null);
 
 function unpinNote(note) {
@@ -49,7 +57,7 @@ function formatDate(dateStr) {
             </svg>
             <span :class="['text-xs font-semibold uppercase tracking-wider',
                            escDark ? 'text-amber-400' : 'text-amber-700']">
-                Pinned Notes
+                {{ t('pinned_notes.title') }}
             </span>
         </div>
 
@@ -61,7 +69,7 @@ function formatDate(dateStr) {
                               ? 'border-amber-500/10 bg-amber-500/[0.04]'
                               : 'border-amber-200 bg-white']">
                 <!-- Note body -->
-                <div :class="['prose prose-sm max-w-none', escDark ? 'prose-invert text-neutral-200' : 'text-gray-800']" v-html="note.body"></div>
+                <div :class="['prose prose-sm max-w-none', escDark ? 'prose-invert text-neutral-200' : 'text-gray-800']" v-html="sanitizeHtml(note.body)"></div>
 
                 <!-- Meta row -->
                 <div class="mt-2 flex items-center justify-between">
@@ -78,7 +86,7 @@ function formatDate(dateStr) {
                                          ? 'text-amber-400 hover:bg-amber-500/10 hover:text-amber-300'
                                          : 'text-amber-600 hover:bg-amber-100 hover:text-amber-700',
                                      processingId === note.id && 'opacity-50 cursor-not-allowed']">
-                        Unpin
+                        {{ t('pinned_notes.unpin') }}
                     </button>
                 </div>
             </div>
diff --git a/src/components/ReplyThread.vue b/src/components/ReplyThread.vue
index 5cf217f..75d6275 100644
--- a/src/components/ReplyThread.vue
+++ b/src/components/ReplyThread.vue
@@ -1,7 +1,14 @@
 <script setup>
 import { inject, computed } from 'vue';
 import { router } from '@inertiajs/vue3';
+import DOMPurify from 'dompurify';
 import AttachmentList from './AttachmentList.vue';
+import { useI18n } from '../composables/useI18n';
+
+function sanitizeHtml(html) {
+    if (!html) return '';
+    return DOMPurify.sanitize(html);
+}
 
 const props = defineProps({
     replies: { type: Array, required: true },
@@ -12,6 +19,7 @@ const props = defineProps({
 });
 
 const escDark = inject('esc-dark', computed(() => false));
+const { t } = useI18n();
 
 function formatDate(date) {
     return new Date(date).toLocaleString();
@@ -31,14 +39,14 @@ function togglePin(reply) {
                  : (reply.is_internal_note ? 'border-yellow-200 bg-yellow-50' : 'border-gray-200 bg-white')]">
             <div class="mb-2 flex items-center justify-between">
                 <div class="flex items-center gap-2">
-                    <span :class="['font-medium', escDark ? 'text-gray-200' : 'text-gray-900']">{{ reply.author?.name || 'Unknown' }}</span>
+                    <span :class="['font-medium', escDark ? 'text-gray-200' : 'text-gray-900']">{{ reply.author?.name || t('ticket.unknown') }}</span>
                     <span v-if="reply.is_internal_note"
                           :class="['rounded px-1.5 py-0.5 text-xs font-medium', escDark ? 'bg-amber-500/15 text-amber-400' : 'bg-yellow-200 text-yellow-800']">
-                        Internal Note
+                        {{ t('reply.internal_note') }}
                     </span>
                     <span v-if="reply.is_pinned"
                           :class="['rounded px-1.5 py-0.5 text-xs font-medium', escDark ? 'bg-cyan-500/15 text-cyan-400' : 'bg-blue-100 text-blue-700']">
-                        Pinned
+                        {{ t('reply.pinned') }}
                     </span>
                 </div>
                 <div class="flex items-center gap-2">
@@ -47,14 +55,14 @@ function togglePin(reply) {
                                      escDark
                                          ? (reply.is_pinned ? 'bg-cyan-500/15 text-cyan-400 hover:bg-cyan-500/25' : 'text-neutral-500 hover:bg-white/[0.06] hover:text-neutral-300')
                                          : (reply.is_pinned ? 'bg-blue-100 text-blue-700 hover:bg-blue-200' : 'text-gray-400 hover:bg-gray-100 hover:text-gray-600')]">
-                        {{ reply.is_pinned ? 'Unpin' : 'Pin' }}
+                        {{ reply.is_pinned ? t('reply.unpin') : t('reply.pin') }}
                     </button>
                     <span :class="['text-xs', escDark ? 'text-gray-500' : 'text-gray-500']">{{ formatDate(reply.created_at) }}</span>
                 </div>
             </div>
-            <div :class="['prose prose-sm max-w-none', escDark ? 'prose-invert text-gray-300' : 'text-gray-700']" v-html="reply.body"></div>
+            <div :class="['prose prose-sm max-w-none', escDark ? 'prose-invert text-gray-300' : 'text-gray-700']" v-html="sanitizeHtml(reply.body)"></div>
             <AttachmentList v-if="reply.attachments?.length" :attachments="reply.attachments" class="mt-3" />
         </div>
-        <div v-if="!replies?.length" :class="['py-8 text-center text-sm', escDark ? 'text-gray-500' : 'text-gray-500']">No replies yet.</div>
+        <div v-if="!replies?.length" :class="['py-8 text-center text-sm', escDark ? 'text-gray-500' : 'text-gray-500']">{{ t('ticket.no_replies') }}</div>
     </div>
 </template>

From 747f9d51f988a996e9bcb76c348d673b9225cbe7 Mon Sep 17 00:00:00 2001
From: Matt Gros <3311227+mpge@users.noreply.github.com>
Date: Sun, 15 Feb 2026 18:30:23 -0500
Subject: [PATCH 2/5] fix: update index.test.js export count for new i18n
 exports

---
 tests/index.test.js | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/tests/index.test.js b/tests/index.test.js
index a1dff9f..ec4bdad 100644
--- a/tests/index.test.js
+++ b/tests/index.test.js
@@ -109,10 +109,10 @@ describe('index.js exports', () => {
             }
         });
 
-        it('total named exports equals components + plugin + composables + helper', () => {
+        it('total named exports equals components + plugin + composables + i18n + helper', () => {
             const keys = Object.keys(escalated);
-            // 24 components + 1 plugin + 2 composables + 1 helper = 28
-            expect(keys).toHaveLength(28);
+            // 24 components + 1 plugin + 2 composables + 5 i18n (useI18n, setLocale, getLocale, mergeMessages, locales) + 1 helper = 33
+            expect(keys).toHaveLength(33);
         });
 
         it('every export key is a non-empty string', () => {

From fedc1a09769a8af0a9e04940c305356dcdf1344a Mon Sep 17 00:00:00 2001
From: Matt Gros <3311227+mpge@users.noreply.github.com>
Date: Sun, 15 Feb 2026 18:42:51 -0500
Subject: [PATCH 3/5] fix: replace dompurify with zero-dependency sanitizer

DOMPurify caused import resolution failures in CI. Replace with a
built-in sanitizer that mirrors the server-side approach (strip
disallowed tags, event handlers, javascript: URIs, CSS expressions).
Revert test export count to 28 (i18n exports are not on this branch).
---
 package.json                   |  4 ----
 src/components/PinnedNotes.vue |  7 +-----
 src/components/ReplyThread.vue |  7 +-----
 src/utils/sanitizeHtml.js      | 44 ++++++++++++++++++++++++++++++++++
 tests/index.test.js            |  6 ++---
 5 files changed, 49 insertions(+), 19 deletions(-)
 create mode 100644 src/utils/sanitizeHtml.js

diff --git a/package.json b/package.json
index 8a6b21f..5de3d63 100644
--- a/package.json
+++ b/package.json
@@ -37,14 +37,10 @@
   },
   "devDependencies": {
     "@inertiajs/vue3": "^2.0.0",
-    "@types/dompurify": "^3.0.5",
     "@vitejs/plugin-vue": "^5.0.0",
     "@vue/test-utils": "^2.4.0",
     "happy-dom": "^15.0.0",
     "vitest": "^2.0.0",
     "vue": "^3.5.0"
-  },
-  "dependencies": {
-    "dompurify": "^3.3.1"
   }
 }
diff --git a/src/components/PinnedNotes.vue b/src/components/PinnedNotes.vue
index fdb19d2..47e35b0 100644
--- a/src/components/PinnedNotes.vue
+++ b/src/components/PinnedNotes.vue
@@ -1,14 +1,9 @@
 <script setup>
 import { ref, computed, inject } from 'vue';
 import { router } from '@inertiajs/vue3';
-import DOMPurify from 'dompurify';
+import { sanitizeHtml } from '../utils/sanitizeHtml';
 import { useI18n } from '../composables/useI18n';
 
-function sanitizeHtml(html) {
-    if (!html) return '';
-    return DOMPurify.sanitize(html);
-}
-
 const props = defineProps({
     notes: { type: Array, default: () => [] },
     ticketReference: { type: String, required: true },
diff --git a/src/components/ReplyThread.vue b/src/components/ReplyThread.vue
index 75d6275..d5cf000 100644
--- a/src/components/ReplyThread.vue
+++ b/src/components/ReplyThread.vue
@@ -1,15 +1,10 @@
 <script setup>
 import { inject, computed } from 'vue';
 import { router } from '@inertiajs/vue3';
-import DOMPurify from 'dompurify';
 import AttachmentList from './AttachmentList.vue';
+import { sanitizeHtml } from '../utils/sanitizeHtml';
 import { useI18n } from '../composables/useI18n';
 
-function sanitizeHtml(html) {
-    if (!html) return '';
-    return DOMPurify.sanitize(html);
-}
-
 const props = defineProps({
     replies: { type: Array, required: true },
     currentUserId: { type: [Number, String], default: null },
diff --git a/src/utils/sanitizeHtml.js b/src/utils/sanitizeHtml.js
new file mode 100644
index 0000000..5393ee8
--- /dev/null
+++ b/src/utils/sanitizeHtml.js
@@ -0,0 +1,44 @@
+/**
+ * Sanitize HTML to prevent stored XSS.
+ *
+ * Strips dangerous tags, event handlers, javascript: URIs, and CSS expressions.
+ * Mirrors the server-side sanitization in the Adonis/Laravel inbound email services.
+ */
+
+const ALLOWED_TAGS = [
+  'p', 'br', 'b', 'i', 'u', 'strong', 'em', 'a', 'ul', 'ol', 'li',
+  'blockquote', 'pre', 'code', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6',
+  'img', 'table', 'thead', 'tbody', 'tr', 'th', 'td', 'div', 'span',
+  'hr', 'sub', 'sup', 'dl', 'dt', 'dd',
+]
+
+const TAG_PATTERN = ALLOWED_TAGS.join('|')
+const STRIP_TAGS_RE = new RegExp(`<(?!\\/?(?:${TAG_PATTERN})(?:\\s|>|\\/))\\/?[^>]*>`, 'gi')
+
+export function sanitizeHtml(html) {
+  if (!html) return ''
+
+  let clean = html
+
+  // Strip non-allowed tags
+  clean = clean.replace(STRIP_TAGS_RE, '')
+
+  // Remove event handlers (onclick, onerror, etc.)
+  clean = clean.replace(/\s+on\w+\s*=\s*"[^"]*"/gi, '')
+  clean = clean.replace(/\s+on\w+\s*=\s*'[^']*'/gi, '')
+  clean = clean.replace(/\s+on\w+\s*=\s*[^\s>]+/gi, '')
+
+  // Remove javascript: and vbscript: protocols from href/src/action
+  clean = clean.replace(/\b(href|src|action)\s*=\s*["']?\s*(?:javascript|vbscript)\s*:/gi, '$1="')
+
+  // Remove dangerous data: URIs (allow data:image)
+  clean = clean.replace(/\b(href|src|action)\s*=\s*["']?\s*data\s*:(?!image\/)/gi, '$1="')
+
+  // Remove CSS expressions and javascript in style attributes
+  clean = clean.replace(/style\s*=\s*"[^"]*expression\s*\([^"]*"/gi, '')
+  clean = clean.replace(/style\s*=\s*'[^']*expression\s*\([^']*'/gi, '')
+  clean = clean.replace(/style\s*=\s*"[^"]*url\s*\(\s*["']?\s*javascript:[^"]*"/gi, '')
+  clean = clean.replace(/style\s*=\s*'[^']*url\s*\(\s*['"]?\s*javascript:[^']*'/gi, '')
+
+  return clean
+}
diff --git a/tests/index.test.js b/tests/index.test.js
index ec4bdad..a1dff9f 100644
--- a/tests/index.test.js
+++ b/tests/index.test.js
@@ -109,10 +109,10 @@ describe('index.js exports', () => {
             }
         });
 
-        it('total named exports equals components + plugin + composables + i18n + helper', () => {
+        it('total named exports equals components + plugin + composables + helper', () => {
             const keys = Object.keys(escalated);
-            // 24 components + 1 plugin + 2 composables + 5 i18n (useI18n, setLocale, getLocale, mergeMessages, locales) + 1 helper = 33
-            expect(keys).toHaveLength(33);
+            // 24 components + 1 plugin + 2 composables + 1 helper = 28
+            expect(keys).toHaveLength(28);
         });
 
         it('every export key is a non-empty string', () => {

From 560345401dcff2be785646e013fda8e32b9e68c9 Mon Sep 17 00:00:00 2001
From: Matt Gros <3311227+mpge@users.noreply.github.com>
Date: Sun, 15 Feb 2026 18:46:32 -0500
Subject: [PATCH 4/5] fix: add missing useI18n composable/locales and harden
 sanitizer

- Commit useI18n.js and locale files that were untracked (CI failure)
- Loop event handler removal until stable to prevent bypass via
  nested/overlapping patterns (CodeQL incomplete sanitization fix)
---
 src/composables/useI18n.js |  80 +++++++
 src/locales/de.json        | 442 +++++++++++++++++++++++++++++++++++++
 src/locales/en.json        | 442 +++++++++++++++++++++++++++++++++++++
 src/locales/es.json        | 442 +++++++++++++++++++++++++++++++++++++
 src/locales/fr.json        | 442 +++++++++++++++++++++++++++++++++++++
 src/locales/index.js       |   6 +
 src/utils/sanitizeHtml.js  |  13 +-
 7 files changed, 1864 insertions(+), 3 deletions(-)
 create mode 100644 src/composables/useI18n.js
 create mode 100644 src/locales/de.json
 create mode 100644 src/locales/en.json
 create mode 100644 src/locales/es.json
 create mode 100644 src/locales/fr.json
 create mode 100644 src/locales/index.js

diff --git a/src/composables/useI18n.js b/src/composables/useI18n.js
new file mode 100644
index 0000000..e23e8b5
--- /dev/null
+++ b/src/composables/useI18n.js
@@ -0,0 +1,80 @@
+import { ref, computed } from 'vue';
+import locales from '../locales/index.js';
+
+const currentLocale = ref('en');
+const customMessages = ref({});
+
+function resolve(obj, path) {
+    return path.split('.').reduce((acc, key) => acc?.[key], obj);
+}
+
+function applyReplacements(str, replacements) {
+    if (!replacements) return str;
+    return Object.entries(replacements).reduce(
+        (result, [key, value]) => result.replace(new RegExp(`:${key}`, 'g'), value),
+        str,
+    );
+}
+
+export function setLocale(locale) {
+    currentLocale.value = locale;
+}
+
+export function getLocale() {
+    return currentLocale.value;
+}
+
+export function mergeMessages(locale, messages) {
+    customMessages.value = {
+        ...customMessages.value,
+        [locale]: deepMerge(customMessages.value[locale] || {}, messages),
+    };
+}
+
+function deepMerge(target, source) {
+    const result = { ...target };
+    for (const key of Object.keys(source)) {
+        if (
+            source[key] &&
+            typeof source[key] === 'object' &&
+            !Array.isArray(source[key]) &&
+            target[key] &&
+            typeof target[key] === 'object'
+        ) {
+            result[key] = deepMerge(target[key], source[key]);
+        } else {
+            result[key] = source[key];
+        }
+    }
+    return result;
+}
+
+export function useI18n() {
+    const locale = computed(() => currentLocale.value);
+
+    function t(key, replacements) {
+        const lang = currentLocale.value;
+
+        // Try custom messages for current locale
+        const custom = resolve(customMessages.value[lang], key);
+        if (typeof custom === 'string') return applyReplacements(custom, replacements);
+
+        // Try built-in messages for current locale
+        const msg = resolve(locales[lang], key);
+        if (typeof msg === 'string') return applyReplacements(msg, replacements);
+
+        // Fallback to English
+        if (lang !== 'en') {
+            const customEn = resolve(customMessages.value.en, key);
+            if (typeof customEn === 'string') return applyReplacements(customEn, replacements);
+
+            const fallback = resolve(locales.en, key);
+            if (typeof fallback === 'string') return applyReplacements(fallback, replacements);
+        }
+
+        // Return raw key
+        return key;
+    }
+
+    return { t, locale };
+}
diff --git a/src/locales/de.json b/src/locales/de.json
new file mode 100644
index 0000000..bf90378
--- /dev/null
+++ b/src/locales/de.json
@@ -0,0 +1,442 @@
+{
+  "nav": {
+    "admin": "Verwaltung",
+    "admin_badge": "ADMIN",
+    "agent_panel": "Agenten-Bereich",
+    "back_to_app": "Zurück zur App",
+    "my_tickets": "Meine Tickets",
+    "dashboard": "Dashboard",
+    "tickets": "Tickets",
+    "reports": "Berichte",
+    "departments": "Abteilungen",
+    "sla_policies": "SLA-Richtlinien",
+    "escalation_rules": "Eskalationsregeln",
+    "tags": "Tags",
+    "canned_responses": "Textvorlagen",
+    "macros": "Makros",
+    "api_tokens": "API-Token",
+    "plugins": "Plugins",
+    "settings": "Einstellungen"
+  },
+  "status": {
+    "open": "Offen",
+    "in_progress": "In Bearbeitung",
+    "waiting_on_customer": "Warten auf Kunde",
+    "waiting_on_agent": "Warten auf Agent",
+    "escalated": "Eskaliert",
+    "resolved": "Gelöst",
+    "closed": "Geschlossen",
+    "reopened": "Wiedereröffnet"
+  },
+  "priority": {
+    "low": "Niedrig",
+    "medium": "Mittel",
+    "high": "Hoch",
+    "urgent": "Dringend",
+    "critical": "Kritisch"
+  },
+  "activity": {
+    "status_changed": "Status geändert",
+    "assigned": "Ticket zugewiesen",
+    "unassigned": "Ticketzuweisung aufgehoben",
+    "priority_changed": "Priorität geändert",
+    "tag_added": "Tag hinzugefügt",
+    "tag_removed": "Tag entfernt",
+    "escalated": "Ticket eskaliert",
+    "sla_breached": "SLA verletzt",
+    "replied": "geantwortet",
+    "note_added": "Notiz hinzugefügt",
+    "department_changed": "Abteilung geändert",
+    "reopened": "Ticket wiedereröffnet",
+    "resolved": "Ticket gelöst",
+    "closed": "Ticket geschlossen",
+    "system": "System",
+    "no_activity": "Noch keine Aktivität.",
+    "to": "auf",
+    "assigned_to": "zugewiesen an"
+  },
+  "ticket": {
+    "reference": "Referenz",
+    "subject": "Betreff",
+    "requester": "Anfragender",
+    "status": "Status",
+    "priority": "Priorität",
+    "assignee": "Zuständiger",
+    "last_reply": "Letzte Antwort",
+    "unknown": "Unbekannt",
+    "unassigned": "Nicht zugewiesen",
+    "no_tickets": "Keine Tickets gefunden.",
+    "details": "Details",
+    "department": "Abteilung",
+    "created": "Erstellt",
+    "activity": "Aktivität",
+    "conversation": "Konversation",
+    "by": "von",
+    "assign_to_me": "Mir zuweisen",
+    "close_ticket": "Ticket schließen",
+    "reopen": "Wiedereröffnen",
+    "all_tickets": "Alle Tickets",
+    "ticket_queue": "Ticket-Warteschlange",
+    "my_tickets": "Meine Tickets",
+    "new_ticket": "Neues Ticket",
+    "create_ticket": "Ticket erstellen",
+    "submit_ticket": "Ticket einreichen",
+    "no_replies": "Noch keine Antworten.",
+    "ticket_closed_no_replies": "Dieses Ticket ist geschlossen. Es können keine weiteren Antworten hinzugefügt werden."
+  },
+  "bulk": {
+    "tickets_selected": ":count Ticket(s) ausgewählt",
+    "status_placeholder": "Status...",
+    "priority_placeholder": "Priorität...",
+    "assign_placeholder": "Zuweisen an...",
+    "department_placeholder": "Abteilung...",
+    "delete": "Löschen",
+    "deselect_all": "Alle abwählen"
+  },
+  "filter": {
+    "search_tickets": "Tickets suchen...",
+    "all_statuses": "Alle Status",
+    "all_priorities": "Alle Prioritäten",
+    "all_agents": "Alle Agenten",
+    "all_departments": "Alle Abteilungen",
+    "following": "Beobachtet"
+  },
+  "quick_filter": {
+    "my_tickets": "Meine Tickets",
+    "unassigned": "Nicht zugewiesen",
+    "urgent_plus": "Dringend+",
+    "sla_breaching": "SLA-Verletzung",
+    "following": "Beobachtet"
+  },
+  "reply": {
+    "reply": "Antworten",
+    "internal_note": "Interne Notiz",
+    "note_visibility": "Diese Notiz ist nur für Agenten sichtbar.",
+    "placeholder": "Antwort eingeben...",
+    "canned_responses": "Textvorlagen...",
+    "add_note": "Notiz hinzufügen",
+    "send_reply": "Antwort senden",
+    "pinned": "Angepinnt",
+    "unpin": "Lösen",
+    "pin": "Anpinnen",
+    "write_internal_note": "Interne Notiz schreiben..."
+  },
+  "rating": {
+    "customer_rating": "Kundenbewertung",
+    "how_was_experience": "Wie war Ihre Erfahrung?",
+    "terrible": "Sehr schlecht",
+    "poor": "Schlecht",
+    "okay": "Okay",
+    "good": "Gut",
+    "excellent": "Ausgezeichnet",
+    "feedback_placeholder": "Weiteres Feedback? (optional)",
+    "thank_you": "Vielen Dank für Ihr Feedback!",
+    "submit_rating": "Bewertung abgeben",
+    "customer_satisfaction": "Kundenzufriedenheit"
+  },
+  "keyboard": {
+    "title": "Tastenkürzel",
+    "list_view": "Listenansicht",
+    "detail_view": "Detailansicht",
+    "global": "Global",
+    "move_down": "Nach unten",
+    "move_up": "Nach oben",
+    "toggle_select": "Auswahl umschalten",
+    "open_ticket": "Ticket öffnen",
+    "reply": "Antworten",
+    "internal_note": "Interne Notiz",
+    "change_status": "Status ändern",
+    "change_priority": "Priorität ändern",
+    "follow_unfollow": "Beobachten/Nicht beobachten",
+    "show_help": "Diese Hilfe anzeigen",
+    "esc_to_close": "Esc zum Schließen drücken"
+  },
+  "sla": {
+    "overdue": "Überfällig",
+    "breached": "SLA verletzt",
+    "first_response": "Erste Antwort",
+    "resolution": "Lösung"
+  },
+  "follow": {
+    "following": "Beobachtet",
+    "follow": "Beobachten"
+  },
+  "file": {
+    "drop_or_browse": "Dateien hier ablegen oder :link",
+    "browse": "durchsuchen"
+  },
+  "macro": {
+    "apply_macro": "Makro anwenden",
+    "macros": "Makros",
+    "no_macros": "Keine Makros verfügbar"
+  },
+  "form": {
+    "name": "Name",
+    "description": "Beschreibung",
+    "slug": "Slug",
+    "auto_generated": "Wird automatisch erzeugt, wenn leer",
+    "active": "Aktiv",
+    "update": "Aktualisieren",
+    "create": "Erstellen",
+    "save": "Speichern",
+    "cancel": "Abbrechen",
+    "edit": "Bearbeiten",
+    "delete": "Löschen",
+    "actions": "Aktionen",
+    "order": "Reihenfolge",
+    "value": "Wert",
+    "yes": "Ja",
+    "no": "Nein",
+    "confirm": "Bestätigen",
+    "none": "Keine",
+    "general": "Allgemein",
+    "shared": "Geteilt",
+    "private": "Privat",
+    "color": "Farbe",
+    "title": "Titel",
+    "copy": "Kopieren",
+    "dismiss": "Verwerfen",
+    "saved": "Gespeichert.",
+    "saving": "Speichern...",
+    "creating": "Erstellen...",
+    "submitting": "Einreichen...",
+    "sending": "Senden...",
+    "uploading": "Hochladen...",
+    "copied": "Kopiert!",
+    "subject": "Betreff",
+    "priority": "Priorität",
+    "department": "Abteilung",
+    "attachments": "Anhänge"
+  },
+  "presence": {
+    "also_viewing": "Ebenfalls angesehen von: :names"
+  },
+  "pinned_notes": {
+    "title": "Angepinnte Notizen",
+    "unpin": "Lösen"
+  },
+  "admin": {
+    "settings": {
+      "title": "Einstellungen",
+      "general": "Allgemein",
+      "guest_tickets": "Gast-Tickets",
+      "guest_tickets_desc": "Besuchern erlauben, Tickets ohne Anmeldung einzureichen",
+      "allow_customer_close": "Kunde darf schließen",
+      "allow_customer_close_desc": "Kunden erlauben, ihre eigenen Tickets zu schließen",
+      "auto_close": "Gelöste Tickets automatisch schließen nach",
+      "auto_close_desc": "Tage nach Lösung bis zum automatischen Schließen (0 zum Deaktivieren)",
+      "days": "Tage",
+      "limits": "Begrenzungen",
+      "max_attachments": "Max. Anhänge pro Antwort",
+      "max_attachment_size": "Max. Anhangsgröße",
+      "tickets": "Tickets",
+      "reference_prefix": "Referenz-Präfix",
+      "reference_prefix_desc": "Präfix für Ticket-Referenzen (z. B. ESC ergibt ESC-00001)",
+      "inbound_email": "Eingehende E-Mail",
+      "inbound_email_desc": "Erstellen und Beantworten von Tickets per E-Mail erlauben",
+      "email_provider": "E-Mail-Anbieter",
+      "email_provider_desc": "Wie eingehende E-Mails empfangen werden",
+      "support_email": "Support-E-Mail-Adresse",
+      "support_email_desc": "Die E-Mail-Adresse, an die Kunden E-Mails senden (z. B. support@beispiel.de)",
+      "signing_key": "Signaturschlüssel",
+      "webhook_url": "Webhook-URL",
+      "mailgun_webhook_desc": "Konfigurieren Sie diese URL in Ihrem Mailgun-Dashboard",
+      "inbound_token": "Eingangs-Token",
+      "postmark_webhook_desc": "Konfigurieren Sie diese URL in Ihren Postmark-Servereinstellungen",
+      "region": "Region",
+      "topic_arn": "Topic-ARN",
+      "ses_webhook_desc": "Konfigurieren Sie diese URL als Ihren SNS-Abonnement-Endpunkt",
+      "host": "Host",
+      "port": "Port",
+      "encryption": "Verschlüsselung",
+      "username": "Benutzername",
+      "password": "Passwort",
+      "mailbox": "Postfach",
+      "save_settings": "Einstellungen speichern"
+    },
+    "reports": {
+      "title": "Berichte",
+      "last_days": "Letzte :count Tage",
+      "total_tickets": "Tickets gesamt",
+      "resolved": "Gelöst",
+      "avg_first_response": "Ø Erste Antwort",
+      "sla_breaches": "SLA-Verletzungen",
+      "by_status": "Nach Status",
+      "by_priority": "Nach Priorität",
+      "no_data": "Keine Ticketdaten für diesen Zeitraum",
+      "no_ratings": "Keine Bewertungen für diesen Zeitraum",
+      "ratings_count": "(:count Bewertungen)"
+    },
+    "departments": {
+      "title": "Abteilungen",
+      "add": "Abteilung hinzufügen",
+      "edit_title": "Abteilung bearbeiten",
+      "new_title": "Neue Abteilung",
+      "tickets": "Tickets",
+      "agents": "Agenten",
+      "no_departments": "Noch keine Abteilungen",
+      "no_departments_desc": "Erstellen Sie Ihre erste Abteilung, um Tickets zu organisieren",
+      "confirm_delete": "Diese Abteilung löschen?"
+    },
+    "sla_policies": {
+      "title": "SLA-Richtlinien",
+      "add": "Richtlinie hinzufügen",
+      "edit_title": "SLA-Richtlinie bearbeiten",
+      "new_title": "Neue SLA-Richtlinie",
+      "default": "Standard",
+      "business_hours": "Geschäftszeiten",
+      "business_hours_only": "Nur Geschäftszeiten",
+      "default_policy": "Standardrichtlinie",
+      "first_response_hours": "Erste-Antwort-Stunden (nach Priorität)",
+      "resolution_hours": "Lösungsstunden (nach Priorität)",
+      "no_policies": "Noch keine SLA-Richtlinien",
+      "no_policies_desc": "Definieren Sie Ziele für Antwort- und Lösungszeiten",
+      "confirm_delete": "Diese SLA-Richtlinie löschen?"
+    },
+    "escalation_rules": {
+      "title": "Eskalationsregeln",
+      "add": "Regel hinzufügen",
+      "edit_title": "Eskalationsregel bearbeiten",
+      "new_title": "Neue Eskalationsregel",
+      "trigger": "Auslöser",
+      "trigger_type": "Auslösertyp",
+      "time_based": "Zeitbasiert",
+      "sla_breach": "SLA-Verletzung",
+      "priority_based": "Prioritätsbasiert",
+      "conditions": "Bedingungen",
+      "add_short": "+ Hinzufügen",
+      "status": "Status",
+      "priority": "Priorität",
+      "assignment": "Zuweisung",
+      "age_hours": "Alter (Stunden)",
+      "no_response_hours": "Keine Antwort (Stunden)",
+      "sla_breached": "SLA verletzt",
+      "escalate": "Eskalieren",
+      "change_priority": "Priorität ändern",
+      "assign_to": "Zuweisen an",
+      "change_department": "Abteilung ändern",
+      "no_rules": "Noch keine Eskalationsregeln",
+      "no_rules_desc": "Richten Sie automatische Eskalationen für überfällige Tickets ein",
+      "confirm_delete": "Diese Eskalationsregel löschen?"
+    },
+    "canned_responses": {
+      "title": "Textvorlagen",
+      "add": "Vorlage hinzufügen",
+      "title_placeholder": "Titel",
+      "body_placeholder": "Antworttext...",
+      "category_placeholder": "Kategorie (optional)",
+      "no_responses": "Noch keine Textvorlagen",
+      "no_responses_desc": "Erstellen Sie wiederverwendbare Vorlagen für häufige Antworten",
+      "confirm_delete": "Diese Textvorlage löschen?"
+    },
+    "tags": {
+      "title": "Tags",
+      "add": "Tag hinzufügen",
+      "no_tags": "Noch keine Tags",
+      "no_tags_desc": "Erstellen Sie Tags, um Tickets zu kategorisieren und zu filtern",
+      "confirm_delete": "Diesen Tag löschen?"
+    },
+    "macros": {
+      "title": "Makros",
+      "subtitle": "Makros automatisieren wiederkehrende Aktionen an Tickets.",
+      "create_macro": "Makro erstellen",
+      "update_macro": "Makro aktualisieren",
+      "shared_label": "Mit allen Agenten geteilt",
+      "add_action": "+ Aktion hinzufügen",
+      "no_actions": "Noch keine Aktionen. Fügen Sie Aktionen hinzu, um festzulegen, was dieses Makro tut.",
+      "set_status": "Status setzen",
+      "set_priority": "Priorität setzen",
+      "assign_to": "Zuweisen an",
+      "add_tags": "Tags hinzufügen",
+      "move_to_department": "In Abteilung verschieben",
+      "send_reply": "Antwort senden",
+      "add_internal_note": "Interne Notiz hinzufügen",
+      "select_status": "Status auswählen...",
+      "select_priority": "Priorität auswählen...",
+      "agent_placeholder": "Agenten-ID oder E-Mail",
+      "tags_placeholder": "Kommagetrennte Tag-Namen",
+      "department_placeholder": "Abteilungs-ID oder Name",
+      "reply_placeholder": "Antwortnachricht...",
+      "note_placeholder": "Notizinhalt...",
+      "no_macros": "Noch keine Makros",
+      "no_macros_desc": "Erstellen Sie Makros, um wiederkehrende Ticketaktionen zu automatisieren",
+      "creator": "Ersteller",
+      "confirm_delete": "Dieses Makro löschen? Dies kann nicht rückgängig gemacht werden."
+    },
+    "api_tokens": {
+      "title": "API-Token",
+      "subtitle": "Verwalten Sie API-Token für Desktop-Apps und externe Integrationen.",
+      "create_token": "Token erstellen",
+      "api_disabled": "Die REST-API ist derzeit deaktiviert. Setzen Sie ESCALATED_API_ENABLED=true in Ihrer .env-Datei, um sie zu aktivieren.",
+      "token_created": "Token erstellt! Kopieren Sie ihn jetzt – er wird nicht erneut angezeigt.",
+      "new_token": "Neues API-Token",
+      "token_name": "Token-Name",
+      "token_name_placeholder": "z. B. Desktop-App - Arbeits-Laptop",
+      "user": "Benutzer",
+      "select_user": "Benutzer auswählen...",
+      "abilities": "Berechtigungen",
+      "expires_in": "Läuft ab in (Tage)",
+      "no_expiration": "Leer lassen für kein Ablaufdatum",
+      "last_used": "Zuletzt verwendet",
+      "expires": "Läuft ab",
+      "never": "Nie",
+      "expired": "Abgelaufen",
+      "revoke": "Widerrufen",
+      "no_tokens": "Noch keine API-Token erstellt.",
+      "confirm_revoke": "Möchten Sie dieses Token wirklich widerrufen? Dies kann nicht rückgängig gemacht werden."
+    },
+    "plugins": {
+      "title": "Plugins",
+      "upload": "Plugin hochladen",
+      "plugin_zip": "Plugin-ZIP-Datei",
+      "installed": "Installierte Plugins",
+      "no_plugins": "Keine Plugins installiert",
+      "no_plugins_alt": "Noch keine Plugins installiert.",
+      "no_plugins_desc": "Laden Sie ein Plugin-ZIP hoch, um Escalated mit benutzerdefinierter Funktionalität zu erweitern.",
+      "active": "Aktiv",
+      "inactive": "Inaktiv",
+      "installed_date": "Installiert am :date",
+      "menu_items": ":count Menüeintrag/-einträge",
+      "widgets": ":count Widget(s)",
+      "page_components": ":count Seitenkomponente(n)",
+      "confirm_delete": "Möchten Sie dieses Plugin wirklich löschen? Dies kann nicht rückgängig gemacht werden."
+    }
+  },
+  "agent": {
+    "dashboard": "Agenten-Dashboard",
+    "open_tickets": "Offene Tickets",
+    "my_assigned": "Mir zugewiesen",
+    "unassigned": "Nicht zugewiesen",
+    "sla_breached": "SLA verletzt",
+    "resolved_today": "Heute gelöst",
+    "needs_attention": "Erfordert Aufmerksamkeit",
+    "sla_breaching": "SLA-Verletzung",
+    "unassigned_urgent": "Nicht zugewiesen – Dringend",
+    "recent_tickets": "Neueste Tickets",
+    "no_recent_tickets": "Keine neuesten Tickets",
+    "my_performance": "Meine Leistung",
+    "resolved_this_week": "Diese Woche gelöst"
+  },
+  "guest": {
+    "submit_title": "Ticket einreichen",
+    "submit_heading": "Support-Ticket einreichen",
+    "submit_desc": "Kein Konto erforderlich. Sie erhalten einen Link zur Nachverfolgung Ihres Tickets.",
+    "sign_in_link": "Haben Sie bereits ein Konto? Anmelden",
+    "your_name": "Ihr Name",
+    "email_address": "E-Mail-Adresse",
+    "bookmark_title": "Diese Seite als Lesezeichen speichern",
+    "bookmark_desc": "Dies ist Ihr privater Link, um dieses Ticket einzusehen und zu beantworten.",
+    "copy_link": "Link kopieren",
+    "write_reply": "Antwort schreiben..."
+  },
+  "customer": {
+    "replies": "Antworten",
+    "reply": "Antworten"
+  },
+  "common": {
+    "change_status": "Status ändern...",
+    "change_priority": "Priorität ändern...",
+    "kb": "KB",
+    "upload": "Hochladen"
+  }
+}
diff --git a/src/locales/en.json b/src/locales/en.json
new file mode 100644
index 0000000..a42bd68
--- /dev/null
+++ b/src/locales/en.json
@@ -0,0 +1,442 @@
+{
+  "nav": {
+    "admin": "Admin",
+    "admin_badge": "ADMIN",
+    "agent_panel": "Agent Panel",
+    "back_to_app": "Back to App",
+    "my_tickets": "My Tickets",
+    "dashboard": "Dashboard",
+    "tickets": "Tickets",
+    "reports": "Reports",
+    "departments": "Departments",
+    "sla_policies": "SLA Policies",
+    "escalation_rules": "Escalation Rules",
+    "tags": "Tags",
+    "canned_responses": "Canned Responses",
+    "macros": "Macros",
+    "api_tokens": "API Tokens",
+    "plugins": "Plugins",
+    "settings": "Settings"
+  },
+  "status": {
+    "open": "Open",
+    "in_progress": "In Progress",
+    "waiting_on_customer": "Waiting on Customer",
+    "waiting_on_agent": "Waiting on Agent",
+    "escalated": "Escalated",
+    "resolved": "Resolved",
+    "closed": "Closed",
+    "reopened": "Reopened"
+  },
+  "priority": {
+    "low": "Low",
+    "medium": "Medium",
+    "high": "High",
+    "urgent": "Urgent",
+    "critical": "Critical"
+  },
+  "activity": {
+    "status_changed": "changed status",
+    "assigned": "assigned ticket",
+    "unassigned": "unassigned ticket",
+    "priority_changed": "changed priority",
+    "tag_added": "added tag",
+    "tag_removed": "removed tag",
+    "escalated": "escalated ticket",
+    "sla_breached": "SLA breached",
+    "replied": "replied",
+    "note_added": "added note",
+    "department_changed": "changed department",
+    "reopened": "reopened ticket",
+    "resolved": "resolved ticket",
+    "closed": "closed ticket",
+    "system": "System",
+    "no_activity": "No activity yet.",
+    "to": "to",
+    "assigned_to": "assigned to"
+  },
+  "ticket": {
+    "reference": "Reference",
+    "subject": "Subject",
+    "requester": "Requester",
+    "status": "Status",
+    "priority": "Priority",
+    "assignee": "Assignee",
+    "last_reply": "Last Reply",
+    "unknown": "Unknown",
+    "unassigned": "Unassigned",
+    "no_tickets": "No tickets found.",
+    "details": "Details",
+    "department": "Department",
+    "created": "Created",
+    "activity": "Activity",
+    "conversation": "Conversation",
+    "by": "by",
+    "assign_to_me": "Assign to Me",
+    "close_ticket": "Close Ticket",
+    "reopen": "Reopen",
+    "all_tickets": "All Tickets",
+    "ticket_queue": "Ticket Queue",
+    "my_tickets": "My Tickets",
+    "new_ticket": "New Ticket",
+    "create_ticket": "Create Ticket",
+    "submit_ticket": "Submit Ticket",
+    "no_replies": "No replies yet.",
+    "ticket_closed_no_replies": "This ticket is closed. No further replies can be added."
+  },
+  "bulk": {
+    "tickets_selected": ":count ticket(s) selected",
+    "status_placeholder": "Status...",
+    "priority_placeholder": "Priority...",
+    "assign_placeholder": "Assign to...",
+    "department_placeholder": "Department...",
+    "delete": "Delete",
+    "deselect_all": "Deselect All"
+  },
+  "filter": {
+    "search_tickets": "Search tickets...",
+    "all_statuses": "All Statuses",
+    "all_priorities": "All Priorities",
+    "all_agents": "All Agents",
+    "all_departments": "All Departments",
+    "following": "Following"
+  },
+  "quick_filter": {
+    "my_tickets": "My Tickets",
+    "unassigned": "Unassigned",
+    "urgent_plus": "Urgent+",
+    "sla_breaching": "SLA Breaching",
+    "following": "Following"
+  },
+  "reply": {
+    "reply": "Reply",
+    "internal_note": "Internal Note",
+    "note_visibility": "This note is only visible to agents.",
+    "placeholder": "Type your reply...",
+    "canned_responses": "Canned responses...",
+    "add_note": "Add Note",
+    "send_reply": "Send Reply",
+    "pinned": "Pinned",
+    "unpin": "Unpin",
+    "pin": "Pin",
+    "write_internal_note": "Write an internal note..."
+  },
+  "rating": {
+    "customer_rating": "Customer Rating",
+    "how_was_experience": "How was your experience?",
+    "terrible": "Terrible",
+    "poor": "Poor",
+    "okay": "Okay",
+    "good": "Good",
+    "excellent": "Excellent",
+    "feedback_placeholder": "Any additional feedback? (optional)",
+    "thank_you": "Thank you for your feedback!",
+    "submit_rating": "Submit Rating",
+    "customer_satisfaction": "Customer Satisfaction"
+  },
+  "keyboard": {
+    "title": "Keyboard Shortcuts",
+    "list_view": "List View",
+    "detail_view": "Detail View",
+    "global": "Global",
+    "move_down": "Move down",
+    "move_up": "Move up",
+    "toggle_select": "Toggle select",
+    "open_ticket": "Open ticket",
+    "reply": "Reply",
+    "internal_note": "Internal note",
+    "change_status": "Change status",
+    "change_priority": "Change priority",
+    "follow_unfollow": "Follow/unfollow",
+    "show_help": "Show this help",
+    "esc_to_close": "Press Esc to close"
+  },
+  "sla": {
+    "overdue": "Overdue",
+    "breached": "SLA Breached",
+    "first_response": "First Response",
+    "resolution": "Resolution"
+  },
+  "follow": {
+    "following": "Following",
+    "follow": "Follow"
+  },
+  "file": {
+    "drop_or_browse": "Drop files here or :link",
+    "browse": "browse"
+  },
+  "macro": {
+    "apply_macro": "Apply Macro",
+    "macros": "Macros",
+    "no_macros": "No macros available"
+  },
+  "form": {
+    "name": "Name",
+    "description": "Description",
+    "slug": "Slug",
+    "auto_generated": "Auto-generated if empty",
+    "active": "Active",
+    "update": "Update",
+    "create": "Create",
+    "save": "Save",
+    "cancel": "Cancel",
+    "edit": "Edit",
+    "delete": "Delete",
+    "actions": "Actions",
+    "order": "Order",
+    "value": "Value",
+    "yes": "Yes",
+    "no": "No",
+    "confirm": "Confirm",
+    "none": "None",
+    "general": "General",
+    "shared": "Shared",
+    "private": "Private",
+    "color": "Color",
+    "title": "Title",
+    "copy": "Copy",
+    "dismiss": "Dismiss",
+    "saved": "Saved.",
+    "saving": "Saving...",
+    "creating": "Creating...",
+    "submitting": "Submitting...",
+    "sending": "Sending...",
+    "uploading": "Uploading...",
+    "copied": "Copied!",
+    "subject": "Subject",
+    "priority": "Priority",
+    "department": "Department",
+    "attachments": "Attachments"
+  },
+  "presence": {
+    "also_viewing": "Also viewing: :names"
+  },
+  "pinned_notes": {
+    "title": "Pinned Notes",
+    "unpin": "Unpin"
+  },
+  "admin": {
+    "settings": {
+      "title": "Settings",
+      "general": "General",
+      "guest_tickets": "Guest Tickets",
+      "guest_tickets_desc": "Allow visitors to submit tickets without signing in",
+      "allow_customer_close": "Allow Customer Close",
+      "allow_customer_close_desc": "Let customers close their own tickets",
+      "auto_close": "Auto-close resolved tickets after",
+      "auto_close_desc": "Days after resolution before auto-closing (0 to disable)",
+      "days": "days",
+      "limits": "Limits",
+      "max_attachments": "Max attachments per reply",
+      "max_attachment_size": "Max attachment size",
+      "tickets": "Tickets",
+      "reference_prefix": "Reference Prefix",
+      "reference_prefix_desc": "Prefix for ticket references (e.g. ESC produces ESC-00001)",
+      "inbound_email": "Inbound Email",
+      "inbound_email_desc": "Allow creating and replying to tickets via email",
+      "email_provider": "Email Provider",
+      "email_provider_desc": "How inbound emails are received",
+      "support_email": "Support Email Address",
+      "support_email_desc": "The email address customers will send emails to (e.g. support@example.com)",
+      "signing_key": "Signing Key",
+      "webhook_url": "Webhook URL",
+      "mailgun_webhook_desc": "Configure this URL in your Mailgun dashboard",
+      "inbound_token": "Inbound Token",
+      "postmark_webhook_desc": "Configure this URL in your Postmark server settings",
+      "region": "Region",
+      "topic_arn": "Topic ARN",
+      "ses_webhook_desc": "Configure this URL as your SNS subscription endpoint",
+      "host": "Host",
+      "port": "Port",
+      "encryption": "Encryption",
+      "username": "Username",
+      "password": "Password",
+      "mailbox": "Mailbox",
+      "save_settings": "Save Settings"
+    },
+    "reports": {
+      "title": "Reports",
+      "last_days": "Last :count days",
+      "total_tickets": "Total Tickets",
+      "resolved": "Resolved",
+      "avg_first_response": "Avg First Response",
+      "sla_breaches": "SLA Breaches",
+      "by_status": "By Status",
+      "by_priority": "By Priority",
+      "no_data": "No ticket data for this period",
+      "no_ratings": "No ratings for this period",
+      "ratings_count": "(:count ratings)"
+    },
+    "departments": {
+      "title": "Departments",
+      "add": "Add Department",
+      "edit_title": "Edit Department",
+      "new_title": "New Department",
+      "tickets": "Tickets",
+      "agents": "Agents",
+      "no_departments": "No departments yet",
+      "no_departments_desc": "Create your first department to organize tickets",
+      "confirm_delete": "Delete this department?"
+    },
+    "sla_policies": {
+      "title": "SLA Policies",
+      "add": "Add Policy",
+      "edit_title": "Edit SLA Policy",
+      "new_title": "New SLA Policy",
+      "default": "Default",
+      "business_hours": "Business Hours",
+      "business_hours_only": "Business hours only",
+      "default_policy": "Default policy",
+      "first_response_hours": "First Response Hours (by priority)",
+      "resolution_hours": "Resolution Hours (by priority)",
+      "no_policies": "No SLA policies yet",
+      "no_policies_desc": "Define response and resolution time targets",
+      "confirm_delete": "Delete this SLA policy?"
+    },
+    "escalation_rules": {
+      "title": "Escalation Rules",
+      "add": "Add Rule",
+      "edit_title": "Edit Escalation Rule",
+      "new_title": "New Escalation Rule",
+      "trigger": "Trigger",
+      "trigger_type": "Trigger Type",
+      "time_based": "Time Based",
+      "sla_breach": "SLA Breach",
+      "priority_based": "Priority Based",
+      "conditions": "Conditions",
+      "add_short": "+ Add",
+      "status": "Status",
+      "priority": "Priority",
+      "assignment": "Assignment",
+      "age_hours": "Age (hours)",
+      "no_response_hours": "No Response (hours)",
+      "sla_breached": "SLA Breached",
+      "escalate": "Escalate",
+      "change_priority": "Change Priority",
+      "assign_to": "Assign To",
+      "change_department": "Change Department",
+      "no_rules": "No escalation rules yet",
+      "no_rules_desc": "Set up automatic escalation for overdue tickets",
+      "confirm_delete": "Delete this escalation rule?"
+    },
+    "canned_responses": {
+      "title": "Canned Responses",
+      "add": "Add Response",
+      "title_placeholder": "Title",
+      "body_placeholder": "Response body...",
+      "category_placeholder": "Category (optional)",
+      "no_responses": "No canned responses yet",
+      "no_responses_desc": "Create reusable templates for common replies",
+      "confirm_delete": "Delete this canned response?"
+    },
+    "tags": {
+      "title": "Tags",
+      "add": "Add Tag",
+      "no_tags": "No tags yet",
+      "no_tags_desc": "Create tags to categorize and filter tickets",
+      "confirm_delete": "Delete this tag?"
+    },
+    "macros": {
+      "title": "Macros",
+      "subtitle": "Macros automate repetitive actions on tickets.",
+      "create_macro": "Create Macro",
+      "update_macro": "Update Macro",
+      "shared_label": "Shared with all agents",
+      "add_action": "+ Add Action",
+      "no_actions": "No actions yet. Add actions to define what this macro does.",
+      "set_status": "Set Status",
+      "set_priority": "Set Priority",
+      "assign_to": "Assign To",
+      "add_tags": "Add Tags",
+      "move_to_department": "Move to Department",
+      "send_reply": "Send Reply",
+      "add_internal_note": "Add Internal Note",
+      "select_status": "Select status...",
+      "select_priority": "Select priority...",
+      "agent_placeholder": "Agent ID or email",
+      "tags_placeholder": "Comma-separated tag names",
+      "department_placeholder": "Department ID or name",
+      "reply_placeholder": "Reply message...",
+      "note_placeholder": "Note content...",
+      "no_macros": "No macros yet",
+      "no_macros_desc": "Create macros to automate repetitive ticket actions",
+      "creator": "Creator",
+      "confirm_delete": "Delete this macro? This cannot be undone."
+    },
+    "api_tokens": {
+      "title": "API Tokens",
+      "subtitle": "Manage API tokens for desktop apps and external integrations.",
+      "create_token": "Create Token",
+      "api_disabled": "The REST API is currently disabled. Set ESCALATED_API_ENABLED=true in your .env to enable it.",
+      "token_created": "Token created! Copy it now — it won't be shown again.",
+      "new_token": "New API Token",
+      "token_name": "Token Name",
+      "token_name_placeholder": "e.g. Desktop App - Work Laptop",
+      "user": "User",
+      "select_user": "Select user...",
+      "abilities": "Abilities",
+      "expires_in": "Expires In (days)",
+      "no_expiration": "Leave empty for no expiration",
+      "last_used": "Last Used",
+      "expires": "Expires",
+      "never": "Never",
+      "expired": "Expired",
+      "revoke": "Revoke",
+      "no_tokens": "No API tokens created yet.",
+      "confirm_revoke": "Are you sure you want to revoke this token? This cannot be undone."
+    },
+    "plugins": {
+      "title": "Plugins",
+      "upload": "Upload Plugin",
+      "plugin_zip": "Plugin ZIP File",
+      "installed": "Installed Plugins",
+      "no_plugins": "No plugins installed",
+      "no_plugins_alt": "No plugins installed yet.",
+      "no_plugins_desc": "Upload a plugin ZIP to extend Escalated with custom functionality.",
+      "active": "Active",
+      "inactive": "Inactive",
+      "installed_date": "Installed :date",
+      "menu_items": ":count menu item(s)",
+      "widgets": ":count widget(s)",
+      "page_components": ":count page component(s)",
+      "confirm_delete": "Are you sure you want to delete this plugin? This cannot be undone."
+    }
+  },
+  "agent": {
+    "dashboard": "Agent Dashboard",
+    "open_tickets": "Open Tickets",
+    "my_assigned": "My Assigned",
+    "unassigned": "Unassigned",
+    "sla_breached": "SLA Breached",
+    "resolved_today": "Resolved Today",
+    "needs_attention": "Needs Attention",
+    "sla_breaching": "SLA Breaching",
+    "unassigned_urgent": "Unassigned Urgent",
+    "recent_tickets": "Recent Tickets",
+    "no_recent_tickets": "No recent tickets",
+    "my_performance": "My Performance",
+    "resolved_this_week": "Resolved This Week"
+  },
+  "guest": {
+    "submit_title": "Submit a Ticket",
+    "submit_heading": "Submit a Support Ticket",
+    "submit_desc": "No account needed. We'll give you a link to track your ticket.",
+    "sign_in_link": "Already have an account? Sign in",
+    "your_name": "Your Name",
+    "email_address": "Email Address",
+    "bookmark_title": "Bookmark this page",
+    "bookmark_desc": "This is your private link to view and reply to this ticket.",
+    "copy_link": "Copy Link",
+    "write_reply": "Write your reply..."
+  },
+  "customer": {
+    "replies": "Replies",
+    "reply": "Reply"
+  },
+  "common": {
+    "change_status": "Change Status...",
+    "change_priority": "Change Priority...",
+    "kb": "KB",
+    "upload": "Upload"
+  }
+}
diff --git a/src/locales/es.json b/src/locales/es.json
new file mode 100644
index 0000000..5c2d662
--- /dev/null
+++ b/src/locales/es.json
@@ -0,0 +1,442 @@
+{
+  "nav": {
+    "admin": "Administración",
+    "admin_badge": "ADMIN",
+    "agent_panel": "Panel de Agente",
+    "back_to_app": "Volver a la App",
+    "my_tickets": "Mis Tickets",
+    "dashboard": "Panel",
+    "tickets": "Tickets",
+    "reports": "Informes",
+    "departments": "Departamentos",
+    "sla_policies": "Políticas de SLA",
+    "escalation_rules": "Reglas de Escalamiento",
+    "tags": "Etiquetas",
+    "canned_responses": "Respuestas Predefinidas",
+    "macros": "Macros",
+    "api_tokens": "Tokens de API",
+    "plugins": "Plugins",
+    "settings": "Configuración"
+  },
+  "status": {
+    "open": "Abierto",
+    "in_progress": "En Progreso",
+    "waiting_on_customer": "Esperando al Cliente",
+    "waiting_on_agent": "Esperando al Agente",
+    "escalated": "Escalado",
+    "resolved": "Resuelto",
+    "closed": "Cerrado",
+    "reopened": "Reabierto"
+  },
+  "priority": {
+    "low": "Baja",
+    "medium": "Media",
+    "high": "Alta",
+    "urgent": "Urgente",
+    "critical": "Crítica"
+  },
+  "activity": {
+    "status_changed": "cambió el estado",
+    "assigned": "asignó el ticket",
+    "unassigned": "desasignó el ticket",
+    "priority_changed": "cambió la prioridad",
+    "tag_added": "agregó etiqueta",
+    "tag_removed": "eliminó etiqueta",
+    "escalated": "escaló el ticket",
+    "sla_breached": "SLA incumplido",
+    "replied": "respondió",
+    "note_added": "agregó nota",
+    "department_changed": "cambió el departamento",
+    "reopened": "reabrió el ticket",
+    "resolved": "resolvió el ticket",
+    "closed": "cerró el ticket",
+    "system": "Sistema",
+    "no_activity": "No hay actividad aún.",
+    "to": "a",
+    "assigned_to": "asignado a"
+  },
+  "ticket": {
+    "reference": "Referencia",
+    "subject": "Asunto",
+    "requester": "Solicitante",
+    "status": "Estado",
+    "priority": "Prioridad",
+    "assignee": "Asignado",
+    "last_reply": "Última Respuesta",
+    "unknown": "Desconocido",
+    "unassigned": "Sin Asignar",
+    "no_tickets": "No se encontraron tickets.",
+    "details": "Detalles",
+    "department": "Departamento",
+    "created": "Creado",
+    "activity": "Actividad",
+    "conversation": "Conversación",
+    "by": "por",
+    "assign_to_me": "Asignarme",
+    "close_ticket": "Cerrar Ticket",
+    "reopen": "Reabrir",
+    "all_tickets": "Todos los Tickets",
+    "ticket_queue": "Cola de Tickets",
+    "my_tickets": "Mis Tickets",
+    "new_ticket": "Nuevo Ticket",
+    "create_ticket": "Crear Ticket",
+    "submit_ticket": "Enviar Ticket",
+    "no_replies": "No hay respuestas aún.",
+    "ticket_closed_no_replies": "Este ticket está cerrado. No se pueden agregar más respuestas."
+  },
+  "bulk": {
+    "tickets_selected": ":count ticket(s) seleccionado(s)",
+    "status_placeholder": "Estado...",
+    "priority_placeholder": "Prioridad...",
+    "assign_placeholder": "Asignar a...",
+    "department_placeholder": "Departamento...",
+    "delete": "Eliminar",
+    "deselect_all": "Deseleccionar Todo"
+  },
+  "filter": {
+    "search_tickets": "Buscar tickets...",
+    "all_statuses": "Todos los Estados",
+    "all_priorities": "Todas las Prioridades",
+    "all_agents": "Todos los Agentes",
+    "all_departments": "Todos los Departamentos",
+    "following": "Siguiendo"
+  },
+  "quick_filter": {
+    "my_tickets": "Mis Tickets",
+    "unassigned": "Sin Asignar",
+    "urgent_plus": "Urgente+",
+    "sla_breaching": "SLA en Riesgo",
+    "following": "Siguiendo"
+  },
+  "reply": {
+    "reply": "Responder",
+    "internal_note": "Nota Interna",
+    "note_visibility": "Esta nota solo es visible para los agentes.",
+    "placeholder": "Escribe tu respuesta...",
+    "canned_responses": "Respuestas predefinidas...",
+    "add_note": "Agregar Nota",
+    "send_reply": "Enviar Respuesta",
+    "pinned": "Fijado",
+    "unpin": "Desfijar",
+    "pin": "Fijar",
+    "write_internal_note": "Escribe una nota interna..."
+  },
+  "rating": {
+    "customer_rating": "Valoración del Cliente",
+    "how_was_experience": "¿Cómo fue tu experiencia?",
+    "terrible": "Terrible",
+    "poor": "Mala",
+    "okay": "Aceptable",
+    "good": "Buena",
+    "excellent": "Excelente",
+    "feedback_placeholder": "¿Algún comentario adicional? (opcional)",
+    "thank_you": "¡Gracias por tu valoración!",
+    "submit_rating": "Enviar Valoración",
+    "customer_satisfaction": "Satisfacción del Cliente"
+  },
+  "keyboard": {
+    "title": "Atajos de Teclado",
+    "list_view": "Vista de Lista",
+    "detail_view": "Vista de Detalle",
+    "global": "Global",
+    "move_down": "Mover abajo",
+    "move_up": "Mover arriba",
+    "toggle_select": "Alternar selección",
+    "open_ticket": "Abrir ticket",
+    "reply": "Responder",
+    "internal_note": "Nota interna",
+    "change_status": "Cambiar estado",
+    "change_priority": "Cambiar prioridad",
+    "follow_unfollow": "Seguir/dejar de seguir",
+    "show_help": "Mostrar esta ayuda",
+    "esc_to_close": "Presiona Esc para cerrar"
+  },
+  "sla": {
+    "overdue": "Vencido",
+    "breached": "SLA Incumplido",
+    "first_response": "Primera Respuesta",
+    "resolution": "Resolución"
+  },
+  "follow": {
+    "following": "Siguiendo",
+    "follow": "Seguir"
+  },
+  "file": {
+    "drop_or_browse": "Arrastra archivos aquí o :link",
+    "browse": "explora"
+  },
+  "macro": {
+    "apply_macro": "Aplicar Macro",
+    "macros": "Macros",
+    "no_macros": "No hay macros disponibles"
+  },
+  "form": {
+    "name": "Nombre",
+    "description": "Descripción",
+    "slug": "Slug",
+    "auto_generated": "Se genera automáticamente si está vacío",
+    "active": "Activo",
+    "update": "Actualizar",
+    "create": "Crear",
+    "save": "Guardar",
+    "cancel": "Cancelar",
+    "edit": "Editar",
+    "delete": "Eliminar",
+    "actions": "Acciones",
+    "order": "Orden",
+    "value": "Valor",
+    "yes": "Sí",
+    "no": "No",
+    "confirm": "Confirmar",
+    "none": "Ninguno",
+    "general": "General",
+    "shared": "Compartido",
+    "private": "Privado",
+    "color": "Color",
+    "title": "Título",
+    "copy": "Copiar",
+    "dismiss": "Descartar",
+    "saved": "Guardado.",
+    "saving": "Guardando...",
+    "creating": "Creando...",
+    "submitting": "Enviando...",
+    "sending": "Enviando...",
+    "uploading": "Subiendo...",
+    "copied": "¡Copiado!",
+    "subject": "Asunto",
+    "priority": "Prioridad",
+    "department": "Departamento",
+    "attachments": "Adjuntos"
+  },
+  "presence": {
+    "also_viewing": "También viendo: :names"
+  },
+  "pinned_notes": {
+    "title": "Notas Fijadas",
+    "unpin": "Desfijar"
+  },
+  "admin": {
+    "settings": {
+      "title": "Configuración",
+      "general": "General",
+      "guest_tickets": "Tickets de Invitados",
+      "guest_tickets_desc": "Permitir que los visitantes envíen tickets sin iniciar sesión",
+      "allow_customer_close": "Permitir Cierre por Cliente",
+      "allow_customer_close_desc": "Permitir que los clientes cierren sus propios tickets",
+      "auto_close": "Cerrar automáticamente tickets resueltos después de",
+      "auto_close_desc": "Días después de la resolución antes del cierre automático (0 para desactivar)",
+      "days": "días",
+      "limits": "Límites",
+      "max_attachments": "Máximo de adjuntos por respuesta",
+      "max_attachment_size": "Tamaño máximo de adjunto",
+      "tickets": "Tickets",
+      "reference_prefix": "Prefijo de Referencia",
+      "reference_prefix_desc": "Prefijo para las referencias de tickets (ej. ESC genera ESC-00001)",
+      "inbound_email": "Correo Entrante",
+      "inbound_email_desc": "Permitir crear y responder tickets por correo electrónico",
+      "email_provider": "Proveedor de Correo",
+      "email_provider_desc": "Cómo se reciben los correos entrantes",
+      "support_email": "Dirección de Correo de Soporte",
+      "support_email_desc": "La dirección de correo a la que los clientes enviarán sus emails (ej. soporte@ejemplo.com)",
+      "signing_key": "Clave de Firma",
+      "webhook_url": "URL del Webhook",
+      "mailgun_webhook_desc": "Configura esta URL en tu panel de Mailgun",
+      "inbound_token": "Token de Entrada",
+      "postmark_webhook_desc": "Configura esta URL en la configuración de tu servidor Postmark",
+      "region": "Región",
+      "topic_arn": "ARN del Tema",
+      "ses_webhook_desc": "Configura esta URL como punto de conexión de tu suscripción SNS",
+      "host": "Host",
+      "port": "Puerto",
+      "encryption": "Cifrado",
+      "username": "Usuario",
+      "password": "Contraseña",
+      "mailbox": "Buzón",
+      "save_settings": "Guardar Configuración"
+    },
+    "reports": {
+      "title": "Informes",
+      "last_days": "Últimos :count días",
+      "total_tickets": "Total de Tickets",
+      "resolved": "Resueltos",
+      "avg_first_response": "Tiempo Promedio de Primera Respuesta",
+      "sla_breaches": "Incumplimientos de SLA",
+      "by_status": "Por Estado",
+      "by_priority": "Por Prioridad",
+      "no_data": "No hay datos de tickets para este período",
+      "no_ratings": "No hay valoraciones para este período",
+      "ratings_count": "(:count valoraciones)"
+    },
+    "departments": {
+      "title": "Departamentos",
+      "add": "Agregar Departamento",
+      "edit_title": "Editar Departamento",
+      "new_title": "Nuevo Departamento",
+      "tickets": "Tickets",
+      "agents": "Agentes",
+      "no_departments": "No hay departamentos aún",
+      "no_departments_desc": "Crea tu primer departamento para organizar los tickets",
+      "confirm_delete": "¿Eliminar este departamento?"
+    },
+    "sla_policies": {
+      "title": "Políticas de SLA",
+      "add": "Agregar Política",
+      "edit_title": "Editar Política de SLA",
+      "new_title": "Nueva Política de SLA",
+      "default": "Predeterminada",
+      "business_hours": "Horario Laboral",
+      "business_hours_only": "Solo horario laboral",
+      "default_policy": "Política predeterminada",
+      "first_response_hours": "Horas de Primera Respuesta (por prioridad)",
+      "resolution_hours": "Horas de Resolución (por prioridad)",
+      "no_policies": "No hay políticas de SLA aún",
+      "no_policies_desc": "Define objetivos de tiempo de respuesta y resolución",
+      "confirm_delete": "¿Eliminar esta política de SLA?"
+    },
+    "escalation_rules": {
+      "title": "Reglas de Escalamiento",
+      "add": "Agregar Regla",
+      "edit_title": "Editar Regla de Escalamiento",
+      "new_title": "Nueva Regla de Escalamiento",
+      "trigger": "Disparador",
+      "trigger_type": "Tipo de Disparador",
+      "time_based": "Basado en Tiempo",
+      "sla_breach": "Incumplimiento de SLA",
+      "priority_based": "Basado en Prioridad",
+      "conditions": "Condiciones",
+      "add_short": "+ Agregar",
+      "status": "Estado",
+      "priority": "Prioridad",
+      "assignment": "Asignación",
+      "age_hours": "Antigüedad (horas)",
+      "no_response_hours": "Sin Respuesta (horas)",
+      "sla_breached": "SLA Incumplido",
+      "escalate": "Escalar",
+      "change_priority": "Cambiar Prioridad",
+      "assign_to": "Asignar A",
+      "change_department": "Cambiar Departamento",
+      "no_rules": "No hay reglas de escalamiento aún",
+      "no_rules_desc": "Configura el escalamiento automático para tickets vencidos",
+      "confirm_delete": "¿Eliminar esta regla de escalamiento?"
+    },
+    "canned_responses": {
+      "title": "Respuestas Predefinidas",
+      "add": "Agregar Respuesta",
+      "title_placeholder": "Título",
+      "body_placeholder": "Cuerpo de la respuesta...",
+      "category_placeholder": "Categoría (opcional)",
+      "no_responses": "No hay respuestas predefinidas aún",
+      "no_responses_desc": "Crea plantillas reutilizables para respuestas comunes",
+      "confirm_delete": "¿Eliminar esta respuesta predefinida?"
+    },
+    "tags": {
+      "title": "Etiquetas",
+      "add": "Agregar Etiqueta",
+      "no_tags": "No hay etiquetas aún",
+      "no_tags_desc": "Crea etiquetas para categorizar y filtrar tickets",
+      "confirm_delete": "¿Eliminar esta etiqueta?"
+    },
+    "macros": {
+      "title": "Macros",
+      "subtitle": "Las macros automatizan acciones repetitivas en los tickets.",
+      "create_macro": "Crear Macro",
+      "update_macro": "Actualizar Macro",
+      "shared_label": "Compartida con todos los agentes",
+      "add_action": "+ Agregar Acción",
+      "no_actions": "No hay acciones aún. Agrega acciones para definir lo que hace esta macro.",
+      "set_status": "Establecer Estado",
+      "set_priority": "Establecer Prioridad",
+      "assign_to": "Asignar A",
+      "add_tags": "Agregar Etiquetas",
+      "move_to_department": "Mover a Departamento",
+      "send_reply": "Enviar Respuesta",
+      "add_internal_note": "Agregar Nota Interna",
+      "select_status": "Seleccionar estado...",
+      "select_priority": "Seleccionar prioridad...",
+      "agent_placeholder": "ID o correo del agente",
+      "tags_placeholder": "Nombres de etiquetas separados por comas",
+      "department_placeholder": "ID o nombre del departamento",
+      "reply_placeholder": "Mensaje de respuesta...",
+      "note_placeholder": "Contenido de la nota...",
+      "no_macros": "No hay macros aún",
+      "no_macros_desc": "Crea macros para automatizar acciones repetitivas en tickets",
+      "creator": "Creador",
+      "confirm_delete": "¿Eliminar esta macro? Esta acción no se puede deshacer."
+    },
+    "api_tokens": {
+      "title": "Tokens de API",
+      "subtitle": "Administra tokens de API para aplicaciones de escritorio e integraciones externas.",
+      "create_token": "Crear Token",
+      "api_disabled": "La API REST está actualmente deshabilitada. Configura ESCALATED_API_ENABLED=true en tu archivo .env para habilitarla.",
+      "token_created": "¡Token creado! Cópialo ahora, no se mostrará de nuevo.",
+      "new_token": "Nuevo Token de API",
+      "token_name": "Nombre del Token",
+      "token_name_placeholder": "ej. App de Escritorio - Portátil del Trabajo",
+      "user": "Usuario",
+      "select_user": "Seleccionar usuario...",
+      "abilities": "Permisos",
+      "expires_in": "Expira En (días)",
+      "no_expiration": "Dejar vacío para que no expire",
+      "last_used": "Último Uso",
+      "expires": "Expira",
+      "never": "Nunca",
+      "expired": "Expirado",
+      "revoke": "Revocar",
+      "no_tokens": "No se han creado tokens de API aún.",
+      "confirm_revoke": "¿Estás seguro de que deseas revocar este token? Esta acción no se puede deshacer."
+    },
+    "plugins": {
+      "title": "Plugins",
+      "upload": "Subir Plugin",
+      "plugin_zip": "Archivo ZIP del Plugin",
+      "installed": "Plugins Instalados",
+      "no_plugins": "No hay plugins instalados",
+      "no_plugins_alt": "No hay plugins instalados aún.",
+      "no_plugins_desc": "Sube un archivo ZIP de plugin para extender Escalated con funcionalidad personalizada.",
+      "active": "Activo",
+      "inactive": "Inactivo",
+      "installed_date": "Instalado :date",
+      "menu_items": ":count elemento(s) de menú",
+      "widgets": ":count widget(s)",
+      "page_components": ":count componente(s) de página",
+      "confirm_delete": "¿Estás seguro de que deseas eliminar este plugin? Esta acción no se puede deshacer."
+    }
+  },
+  "agent": {
+    "dashboard": "Panel del Agente",
+    "open_tickets": "Tickets Abiertos",
+    "my_assigned": "Mis Asignados",
+    "unassigned": "Sin Asignar",
+    "sla_breached": "SLA Incumplido",
+    "resolved_today": "Resueltos Hoy",
+    "needs_attention": "Requiere Atención",
+    "sla_breaching": "SLA en Riesgo",
+    "unassigned_urgent": "Urgentes Sin Asignar",
+    "recent_tickets": "Tickets Recientes",
+    "no_recent_tickets": "No hay tickets recientes",
+    "my_performance": "Mi Rendimiento",
+    "resolved_this_week": "Resueltos Esta Semana"
+  },
+  "guest": {
+    "submit_title": "Enviar un Ticket",
+    "submit_heading": "Enviar un Ticket de Soporte",
+    "submit_desc": "No necesitas una cuenta. Te daremos un enlace para seguir tu ticket.",
+    "sign_in_link": "¿Ya tienes una cuenta? Inicia sesión",
+    "your_name": "Tu Nombre",
+    "email_address": "Correo Electrónico",
+    "bookmark_title": "Guarda esta página en favoritos",
+    "bookmark_desc": "Este es tu enlace privado para ver y responder a este ticket.",
+    "copy_link": "Copiar Enlace",
+    "write_reply": "Escribe tu respuesta..."
+  },
+  "customer": {
+    "replies": "Respuestas",
+    "reply": "Responder"
+  },
+  "common": {
+    "change_status": "Cambiar Estado...",
+    "change_priority": "Cambiar Prioridad...",
+    "kb": "KB",
+    "upload": "Subir"
+  }
+}
diff --git a/src/locales/fr.json b/src/locales/fr.json
new file mode 100644
index 0000000..6960892
--- /dev/null
+++ b/src/locales/fr.json
@@ -0,0 +1,442 @@
+{
+  "nav": {
+    "admin": "Administration",
+    "admin_badge": "ADMIN",
+    "agent_panel": "Panneau agent",
+    "back_to_app": "Retour à l'application",
+    "my_tickets": "Mes tickets",
+    "dashboard": "Tableau de bord",
+    "tickets": "Tickets",
+    "reports": "Rapports",
+    "departments": "Départements",
+    "sla_policies": "Politiques SLA",
+    "escalation_rules": "Règles d'escalade",
+    "tags": "Étiquettes",
+    "canned_responses": "Réponses prédéfinies",
+    "macros": "Macros",
+    "api_tokens": "Jetons API",
+    "plugins": "Extensions",
+    "settings": "Paramètres"
+  },
+  "status": {
+    "open": "Ouvert",
+    "in_progress": "En cours",
+    "waiting_on_customer": "En attente du client",
+    "waiting_on_agent": "En attente de l'agent",
+    "escalated": "Escaladé",
+    "resolved": "Résolu",
+    "closed": "Fermé",
+    "reopened": "Rouvert"
+  },
+  "priority": {
+    "low": "Basse",
+    "medium": "Moyenne",
+    "high": "Haute",
+    "urgent": "Urgente",
+    "critical": "Critique"
+  },
+  "activity": {
+    "status_changed": "a changé le statut",
+    "assigned": "a assigné le ticket",
+    "unassigned": "a désassigné le ticket",
+    "priority_changed": "a changé la priorité",
+    "tag_added": "a ajouté une étiquette",
+    "tag_removed": "a retiré une étiquette",
+    "escalated": "a escaladé le ticket",
+    "sla_breached": "SLA dépassé",
+    "replied": "a répondu",
+    "note_added": "a ajouté une note",
+    "department_changed": "a changé le département",
+    "reopened": "a rouvert le ticket",
+    "resolved": "a résolu le ticket",
+    "closed": "a fermé le ticket",
+    "system": "Système",
+    "no_activity": "Aucune activité pour le moment.",
+    "to": "à",
+    "assigned_to": "assigné à"
+  },
+  "ticket": {
+    "reference": "Référence",
+    "subject": "Sujet",
+    "requester": "Demandeur",
+    "status": "Statut",
+    "priority": "Priorité",
+    "assignee": "Assigné à",
+    "last_reply": "Dernière réponse",
+    "unknown": "Inconnu",
+    "unassigned": "Non assigné",
+    "no_tickets": "Aucun ticket trouvé.",
+    "details": "Détails",
+    "department": "Département",
+    "created": "Créé",
+    "activity": "Activité",
+    "conversation": "Conversation",
+    "by": "par",
+    "assign_to_me": "M'assigner",
+    "close_ticket": "Fermer le ticket",
+    "reopen": "Rouvrir",
+    "all_tickets": "Tous les tickets",
+    "ticket_queue": "File d'attente des tickets",
+    "my_tickets": "Mes tickets",
+    "new_ticket": "Nouveau ticket",
+    "create_ticket": "Créer un ticket",
+    "submit_ticket": "Soumettre le ticket",
+    "no_replies": "Aucune réponse pour le moment.",
+    "ticket_closed_no_replies": "Ce ticket est fermé. Aucune réponse supplémentaire ne peut être ajoutée."
+  },
+  "bulk": {
+    "tickets_selected": ":count ticket(s) sélectionné(s)",
+    "status_placeholder": "Statut...",
+    "priority_placeholder": "Priorité...",
+    "assign_placeholder": "Assigner à...",
+    "department_placeholder": "Département...",
+    "delete": "Supprimer",
+    "deselect_all": "Tout désélectionner"
+  },
+  "filter": {
+    "search_tickets": "Rechercher des tickets...",
+    "all_statuses": "Tous les statuts",
+    "all_priorities": "Toutes les priorités",
+    "all_agents": "Tous les agents",
+    "all_departments": "Tous les départements",
+    "following": "Suivis"
+  },
+  "quick_filter": {
+    "my_tickets": "Mes tickets",
+    "unassigned": "Non assignés",
+    "urgent_plus": "Urgent+",
+    "sla_breaching": "SLA en dépassement",
+    "following": "Suivis"
+  },
+  "reply": {
+    "reply": "Répondre",
+    "internal_note": "Note interne",
+    "note_visibility": "Cette note est visible uniquement par les agents.",
+    "placeholder": "Saisissez votre réponse...",
+    "canned_responses": "Réponses prédéfinies...",
+    "add_note": "Ajouter une note",
+    "send_reply": "Envoyer la réponse",
+    "pinned": "Épinglé",
+    "unpin": "Désépingler",
+    "pin": "Épingler",
+    "write_internal_note": "Rédiger une note interne..."
+  },
+  "rating": {
+    "customer_rating": "Évaluation du client",
+    "how_was_experience": "Comment était votre expérience ?",
+    "terrible": "Terrible",
+    "poor": "Mauvaise",
+    "okay": "Correcte",
+    "good": "Bonne",
+    "excellent": "Excellente",
+    "feedback_placeholder": "Des commentaires supplémentaires ? (facultatif)",
+    "thank_you": "Merci pour votre retour !",
+    "submit_rating": "Soumettre l'évaluation",
+    "customer_satisfaction": "Satisfaction client"
+  },
+  "keyboard": {
+    "title": "Raccourcis clavier",
+    "list_view": "Vue liste",
+    "detail_view": "Vue détaillée",
+    "global": "Global",
+    "move_down": "Descendre",
+    "move_up": "Monter",
+    "toggle_select": "Basculer la sélection",
+    "open_ticket": "Ouvrir le ticket",
+    "reply": "Répondre",
+    "internal_note": "Note interne",
+    "change_status": "Changer le statut",
+    "change_priority": "Changer la priorité",
+    "follow_unfollow": "Suivre/Ne plus suivre",
+    "show_help": "Afficher cette aide",
+    "esc_to_close": "Appuyez sur Échap pour fermer"
+  },
+  "sla": {
+    "overdue": "En retard",
+    "breached": "SLA dépassé",
+    "first_response": "Première réponse",
+    "resolution": "Résolution"
+  },
+  "follow": {
+    "following": "Suivi",
+    "follow": "Suivre"
+  },
+  "file": {
+    "drop_or_browse": "Déposez les fichiers ici ou :link",
+    "browse": "parcourir"
+  },
+  "macro": {
+    "apply_macro": "Appliquer une macro",
+    "macros": "Macros",
+    "no_macros": "Aucune macro disponible"
+  },
+  "form": {
+    "name": "Nom",
+    "description": "Description",
+    "slug": "Identifiant",
+    "auto_generated": "Généré automatiquement si vide",
+    "active": "Actif",
+    "update": "Mettre à jour",
+    "create": "Créer",
+    "save": "Enregistrer",
+    "cancel": "Annuler",
+    "edit": "Modifier",
+    "delete": "Supprimer",
+    "actions": "Actions",
+    "order": "Ordre",
+    "value": "Valeur",
+    "yes": "Oui",
+    "no": "Non",
+    "confirm": "Confirmer",
+    "none": "Aucun",
+    "general": "Général",
+    "shared": "Partagé",
+    "private": "Privé",
+    "color": "Couleur",
+    "title": "Titre",
+    "copy": "Copier",
+    "dismiss": "Fermer",
+    "saved": "Enregistré.",
+    "saving": "Enregistrement...",
+    "creating": "Création...",
+    "submitting": "Envoi en cours...",
+    "sending": "Envoi...",
+    "uploading": "Téléversement...",
+    "copied": "Copié !",
+    "subject": "Sujet",
+    "priority": "Priorité",
+    "department": "Département",
+    "attachments": "Pièces jointes"
+  },
+  "presence": {
+    "also_viewing": "Consultent également : :names"
+  },
+  "pinned_notes": {
+    "title": "Notes épinglées",
+    "unpin": "Désépingler"
+  },
+  "admin": {
+    "settings": {
+      "title": "Paramètres",
+      "general": "Général",
+      "guest_tickets": "Tickets invités",
+      "guest_tickets_desc": "Permettre aux visiteurs de soumettre des tickets sans se connecter",
+      "allow_customer_close": "Autoriser la fermeture par le client",
+      "allow_customer_close_desc": "Permettre aux clients de fermer leurs propres tickets",
+      "auto_close": "Fermeture automatique des tickets résolus après",
+      "auto_close_desc": "Nombre de jours après la résolution avant la fermeture automatique (0 pour désactiver)",
+      "days": "jours",
+      "limits": "Limites",
+      "max_attachments": "Nombre maximal de pièces jointes par réponse",
+      "max_attachment_size": "Taille maximale des pièces jointes",
+      "tickets": "Tickets",
+      "reference_prefix": "Préfixe de référence",
+      "reference_prefix_desc": "Préfixe pour les références de tickets (ex. ESC produit ESC-00001)",
+      "inbound_email": "E-mail entrant",
+      "inbound_email_desc": "Permettre la création et la réponse aux tickets par e-mail",
+      "email_provider": "Fournisseur d'e-mail",
+      "email_provider_desc": "Mode de réception des e-mails entrants",
+      "support_email": "Adresse e-mail du support",
+      "support_email_desc": "L'adresse e-mail à laquelle les clients enverront leurs messages (ex. support@exemple.com)",
+      "signing_key": "Clé de signature",
+      "webhook_url": "URL du webhook",
+      "mailgun_webhook_desc": "Configurez cette URL dans votre tableau de bord Mailgun",
+      "inbound_token": "Jeton entrant",
+      "postmark_webhook_desc": "Configurez cette URL dans les paramètres de votre serveur Postmark",
+      "region": "Région",
+      "topic_arn": "ARN du sujet",
+      "ses_webhook_desc": "Configurez cette URL comme point de terminaison de votre abonnement SNS",
+      "host": "Hôte",
+      "port": "Port",
+      "encryption": "Chiffrement",
+      "username": "Nom d'utilisateur",
+      "password": "Mot de passe",
+      "mailbox": "Boîte de réception",
+      "save_settings": "Enregistrer les paramètres"
+    },
+    "reports": {
+      "title": "Rapports",
+      "last_days": ":count derniers jours",
+      "total_tickets": "Total des tickets",
+      "resolved": "Résolus",
+      "avg_first_response": "Temps moyen de première réponse",
+      "sla_breaches": "Dépassements SLA",
+      "by_status": "Par statut",
+      "by_priority": "Par priorité",
+      "no_data": "Aucune donnée de ticket pour cette période",
+      "no_ratings": "Aucune évaluation pour cette période",
+      "ratings_count": "(:count évaluations)"
+    },
+    "departments": {
+      "title": "Départements",
+      "add": "Ajouter un département",
+      "edit_title": "Modifier le département",
+      "new_title": "Nouveau département",
+      "tickets": "Tickets",
+      "agents": "Agents",
+      "no_departments": "Aucun département pour le moment",
+      "no_departments_desc": "Créez votre premier département pour organiser les tickets",
+      "confirm_delete": "Supprimer ce département ?"
+    },
+    "sla_policies": {
+      "title": "Politiques SLA",
+      "add": "Ajouter une politique",
+      "edit_title": "Modifier la politique SLA",
+      "new_title": "Nouvelle politique SLA",
+      "default": "Par défaut",
+      "business_hours": "Heures ouvrées",
+      "business_hours_only": "Heures ouvrées uniquement",
+      "default_policy": "Politique par défaut",
+      "first_response_hours": "Heures de première réponse (par priorité)",
+      "resolution_hours": "Heures de résolution (par priorité)",
+      "no_policies": "Aucune politique SLA pour le moment",
+      "no_policies_desc": "Définissez des objectifs de temps de réponse et de résolution",
+      "confirm_delete": "Supprimer cette politique SLA ?"
+    },
+    "escalation_rules": {
+      "title": "Règles d'escalade",
+      "add": "Ajouter une règle",
+      "edit_title": "Modifier la règle d'escalade",
+      "new_title": "Nouvelle règle d'escalade",
+      "trigger": "Déclencheur",
+      "trigger_type": "Type de déclencheur",
+      "time_based": "Basé sur le temps",
+      "sla_breach": "Dépassement SLA",
+      "priority_based": "Basé sur la priorité",
+      "conditions": "Conditions",
+      "add_short": "+ Ajouter",
+      "status": "Statut",
+      "priority": "Priorité",
+      "assignment": "Assignation",
+      "age_hours": "Ancienneté (heures)",
+      "no_response_hours": "Sans réponse (heures)",
+      "sla_breached": "SLA dépassé",
+      "escalate": "Escalader",
+      "change_priority": "Changer la priorité",
+      "assign_to": "Assigner à",
+      "change_department": "Changer le département",
+      "no_rules": "Aucune règle d'escalade pour le moment",
+      "no_rules_desc": "Configurez l'escalade automatique pour les tickets en retard",
+      "confirm_delete": "Supprimer cette règle d'escalade ?"
+    },
+    "canned_responses": {
+      "title": "Réponses prédéfinies",
+      "add": "Ajouter une réponse",
+      "title_placeholder": "Titre",
+      "body_placeholder": "Corps de la réponse...",
+      "category_placeholder": "Catégorie (facultatif)",
+      "no_responses": "Aucune réponse prédéfinie pour le moment",
+      "no_responses_desc": "Créez des modèles réutilisables pour les réponses courantes",
+      "confirm_delete": "Supprimer cette réponse prédéfinie ?"
+    },
+    "tags": {
+      "title": "Étiquettes",
+      "add": "Ajouter une étiquette",
+      "no_tags": "Aucune étiquette pour le moment",
+      "no_tags_desc": "Créez des étiquettes pour catégoriser et filtrer les tickets",
+      "confirm_delete": "Supprimer cette étiquette ?"
+    },
+    "macros": {
+      "title": "Macros",
+      "subtitle": "Les macros automatisent les actions répétitives sur les tickets.",
+      "create_macro": "Créer une macro",
+      "update_macro": "Mettre à jour la macro",
+      "shared_label": "Partagée avec tous les agents",
+      "add_action": "+ Ajouter une action",
+      "no_actions": "Aucune action pour le moment. Ajoutez des actions pour définir le comportement de cette macro.",
+      "set_status": "Définir le statut",
+      "set_priority": "Définir la priorité",
+      "assign_to": "Assigner à",
+      "add_tags": "Ajouter des étiquettes",
+      "move_to_department": "Déplacer vers le département",
+      "send_reply": "Envoyer une réponse",
+      "add_internal_note": "Ajouter une note interne",
+      "select_status": "Sélectionner le statut...",
+      "select_priority": "Sélectionner la priorité...",
+      "agent_placeholder": "Identifiant ou e-mail de l'agent",
+      "tags_placeholder": "Noms d'étiquettes séparés par des virgules",
+      "department_placeholder": "Identifiant ou nom du département",
+      "reply_placeholder": "Message de réponse...",
+      "note_placeholder": "Contenu de la note...",
+      "no_macros": "Aucune macro pour le moment",
+      "no_macros_desc": "Créez des macros pour automatiser les actions répétitives sur les tickets",
+      "creator": "Créateur",
+      "confirm_delete": "Supprimer cette macro ? Cette action est irréversible."
+    },
+    "api_tokens": {
+      "title": "Jetons API",
+      "subtitle": "Gérez les jetons API pour les applications de bureau et les intégrations externes.",
+      "create_token": "Créer un jeton",
+      "api_disabled": "L'API REST est actuellement désactivée. Définissez ESCALATED_API_ENABLED=true dans votre fichier .env pour l'activer.",
+      "token_created": "Jeton créé ! Copiez-le maintenant — il ne sera plus affiché.",
+      "new_token": "Nouveau jeton API",
+      "token_name": "Nom du jeton",
+      "token_name_placeholder": "ex. Application de bureau - Ordinateur professionnel",
+      "user": "Utilisateur",
+      "select_user": "Sélectionner un utilisateur...",
+      "abilities": "Permissions",
+      "expires_in": "Expire dans (jours)",
+      "no_expiration": "Laissez vide pour aucune expiration",
+      "last_used": "Dernière utilisation",
+      "expires": "Expire",
+      "never": "Jamais",
+      "expired": "Expiré",
+      "revoke": "Révoquer",
+      "no_tokens": "Aucun jeton API créé pour le moment.",
+      "confirm_revoke": "Êtes-vous sûr de vouloir révoquer ce jeton ? Cette action est irréversible."
+    },
+    "plugins": {
+      "title": "Extensions",
+      "upload": "Téléverser une extension",
+      "plugin_zip": "Fichier ZIP de l'extension",
+      "installed": "Extensions installées",
+      "no_plugins": "Aucune extension installée",
+      "no_plugins_alt": "Aucune extension installée pour le moment.",
+      "no_plugins_desc": "Téléversez un fichier ZIP d'extension pour enrichir Escalated avec des fonctionnalités personnalisées.",
+      "active": "Active",
+      "inactive": "Inactive",
+      "installed_date": "Installée le :date",
+      "menu_items": ":count élément(s) de menu",
+      "widgets": ":count widget(s)",
+      "page_components": ":count composant(s) de page",
+      "confirm_delete": "Êtes-vous sûr de vouloir supprimer cette extension ? Cette action est irréversible."
+    }
+  },
+  "agent": {
+    "dashboard": "Tableau de bord agent",
+    "open_tickets": "Tickets ouverts",
+    "my_assigned": "Mes assignations",
+    "unassigned": "Non assignés",
+    "sla_breached": "SLA dépassés",
+    "resolved_today": "Résolus aujourd'hui",
+    "needs_attention": "Nécessite une attention",
+    "sla_breaching": "SLA en dépassement",
+    "unassigned_urgent": "Non assignés urgents",
+    "recent_tickets": "Tickets récents",
+    "no_recent_tickets": "Aucun ticket récent",
+    "my_performance": "Ma performance",
+    "resolved_this_week": "Résolus cette semaine"
+  },
+  "guest": {
+    "submit_title": "Soumettre un ticket",
+    "submit_heading": "Soumettre un ticket de support",
+    "submit_desc": "Aucun compte nécessaire. Nous vous fournirons un lien pour suivre votre ticket.",
+    "sign_in_link": "Vous avez déjà un compte ? Connectez-vous",
+    "your_name": "Votre nom",
+    "email_address": "Adresse e-mail",
+    "bookmark_title": "Ajoutez cette page à vos favoris",
+    "bookmark_desc": "Ceci est votre lien privé pour consulter et répondre à ce ticket.",
+    "copy_link": "Copier le lien",
+    "write_reply": "Rédigez votre réponse..."
+  },
+  "customer": {
+    "replies": "Réponses",
+    "reply": "Répondre"
+  },
+  "common": {
+    "change_status": "Changer le statut...",
+    "change_priority": "Changer la priorité...",
+    "kb": "Ko",
+    "upload": "Téléverser"
+  }
+}
\ No newline at end of file
diff --git a/src/locales/index.js b/src/locales/index.js
new file mode 100644
index 0000000..7e77930
--- /dev/null
+++ b/src/locales/index.js
@@ -0,0 +1,6 @@
+import en from './en.json';
+import es from './es.json';
+import fr from './fr.json';
+import de from './de.json';
+
+export default { en, es, fr, de };
diff --git a/src/utils/sanitizeHtml.js b/src/utils/sanitizeHtml.js
index 5393ee8..fbbc2ed 100644
--- a/src/utils/sanitizeHtml.js
+++ b/src/utils/sanitizeHtml.js
@@ -24,9 +24,16 @@ export function sanitizeHtml(html) {
   clean = clean.replace(STRIP_TAGS_RE, '')
 
   // Remove event handlers (onclick, onerror, etc.)
-  clean = clean.replace(/\s+on\w+\s*=\s*"[^"]*"/gi, '')
-  clean = clean.replace(/\s+on\w+\s*=\s*'[^']*'/gi, '')
-  clean = clean.replace(/\s+on\w+\s*=\s*[^\s>]+/gi, '')
+  // Loop until stable to prevent bypass via nested/overlapping patterns
+  {
+    let prev
+    do {
+      prev = clean
+      clean = clean.replace(/\s+on\w+\s*=\s*"[^"]*"/gi, '')
+      clean = clean.replace(/\s+on\w+\s*=\s*'[^']*'/gi, '')
+      clean = clean.replace(/\s+on\w+\s*=\s*[^\s>]+/gi, '')
+    } while (clean !== prev)
+  }
 
   // Remove javascript: and vbscript: protocols from href/src/action
   clean = clean.replace(/\b(href|src|action)\s*=\s*["']?\s*(?:javascript|vbscript)\s*:/gi, '$1="')

From 0eb462c33d3a56287fa3ddb5659f74dd83c14e48 Mon Sep 17 00:00:00 2001
From: Matt Gros <3311227+mpge@users.noreply.github.com>
Date: Sun, 15 Feb 2026 18:49:08 -0500
Subject: [PATCH 5/5] fix: rewrite sanitizer with DOM APIs to resolve CodeQL
 alerts

Replace regex-based sanitization with DOMParser tree-walking approach.
Parses HTML into a DOM tree, removes dangerous elements (script, iframe,
etc.), strips event handler attributes and javascript: URIs by inspecting
parsed attribute names/values. This avoids the incomplete multi-character
sanitization pattern that CodeQL flags with regex replacements.
---
 src/utils/sanitizeHtml.js | 83 ++++++++++++++++++++++-----------------
 1 file changed, 48 insertions(+), 35 deletions(-)

diff --git a/src/utils/sanitizeHtml.js b/src/utils/sanitizeHtml.js
index fbbc2ed..42b4e56 100644
--- a/src/utils/sanitizeHtml.js
+++ b/src/utils/sanitizeHtml.js
@@ -1,51 +1,64 @@
 /**
  * Sanitize HTML to prevent stored XSS.
  *
- * Strips dangerous tags, event handlers, javascript: URIs, and CSS expressions.
- * Mirrors the server-side sanitization in the Adonis/Laravel inbound email services.
+ * Uses the DOM parser to walk the tree and strip dangerous elements and
+ * attributes rather than regex, which avoids incomplete-sanitization pitfalls.
  */
 
-const ALLOWED_TAGS = [
-  'p', 'br', 'b', 'i', 'u', 'strong', 'em', 'a', 'ul', 'ol', 'li',
-  'blockquote', 'pre', 'code', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6',
-  'img', 'table', 'thead', 'tbody', 'tr', 'th', 'td', 'div', 'span',
-  'hr', 'sub', 'sup', 'dl', 'dt', 'dd',
-]
+const DANGEROUS_TAGS = new Set([
+  'script', 'style', 'iframe', 'object', 'embed', 'form', 'input',
+  'textarea', 'button', 'select', 'option', 'link', 'meta', 'base',
+  'applet', 'noscript', 'noframes',
+])
 
-const TAG_PATTERN = ALLOWED_TAGS.join('|')
-const STRIP_TAGS_RE = new RegExp(`<(?!\\/?(?:${TAG_PATTERN})(?:\\s|>|\\/))\\/?[^>]*>`, 'gi')
+const URI_ATTRS = new Set(['href', 'src', 'action', 'formaction', 'xlink:href'])
 
 export function sanitizeHtml(html) {
   if (!html) return ''
 
-  let clean = html
-
-  // Strip non-allowed tags
-  clean = clean.replace(STRIP_TAGS_RE, '')
-
-  // Remove event handlers (onclick, onerror, etc.)
-  // Loop until stable to prevent bypass via nested/overlapping patterns
-  {
-    let prev
-    do {
-      prev = clean
-      clean = clean.replace(/\s+on\w+\s*=\s*"[^"]*"/gi, '')
-      clean = clean.replace(/\s+on\w+\s*=\s*'[^']*'/gi, '')
-      clean = clean.replace(/\s+on\w+\s*=\s*[^\s>]+/gi, '')
-    } while (clean !== prev)
+  const doc = new DOMParser().parseFromString(html, 'text/html')
+
+  // Remove dangerous elements
+  for (const tag of DANGEROUS_TAGS) {
+    const els = doc.body.getElementsByTagName(tag)
+    while (els.length) els[0].remove()
   }
 
-  // Remove javascript: and vbscript: protocols from href/src/action
-  clean = clean.replace(/\b(href|src|action)\s*=\s*["']?\s*(?:javascript|vbscript)\s*:/gi, '$1="')
+  // Walk all remaining elements and strip dangerous attributes
+  const all = doc.body.querySelectorAll('*')
+  for (let i = 0; i < all.length; i++) {
+    const el = all[i]
+    const attrs = [...el.attributes]
+    for (let j = 0; j < attrs.length; j++) {
+      const name = attrs[j].name.toLowerCase()
+
+      // Remove event handlers (onclick, onerror, etc.)
+      if (name.startsWith('on')) {
+        el.removeAttribute(attrs[j].name)
+        continue
+      }
 
-  // Remove dangerous data: URIs (allow data:image)
-  clean = clean.replace(/\b(href|src|action)\s*=\s*["']?\s*data\s*:(?!image\/)/gi, '$1="')
+      // Remove javascript: / vbscript: / dangerous data: URIs
+      if (URI_ATTRS.has(name)) {
+        const val = (attrs[j].value || '').replace(/[\s\u0000-\u001F]+/g, '').toLowerCase()
+        if (
+          val.startsWith('javascript:') ||
+          val.startsWith('vbscript:') ||
+          (val.startsWith('data:') && !val.startsWith('data:image/'))
+        ) {
+          el.removeAttribute(attrs[j].name)
+        }
+      }
 
-  // Remove CSS expressions and javascript in style attributes
-  clean = clean.replace(/style\s*=\s*"[^"]*expression\s*\([^"]*"/gi, '')
-  clean = clean.replace(/style\s*=\s*'[^']*expression\s*\([^']*'/gi, '')
-  clean = clean.replace(/style\s*=\s*"[^"]*url\s*\(\s*["']?\s*javascript:[^"]*"/gi, '')
-  clean = clean.replace(/style\s*=\s*'[^']*url\s*\(\s*['"]?\s*javascript:[^']*'/gi, '')
+      // Remove style attributes containing expressions or javascript
+      if (name === 'style') {
+        const val = (attrs[j].value || '').toLowerCase()
+        if (val.includes('expression(') || val.includes('javascript:') || val.includes('url(')) {
+          el.removeAttribute(attrs[j].name)
+        }
+      }
+    }
+  }
 
-  return clean
+  return doc.body.innerHTML
 }