🔒️(frontend) validate emoji in notifications to prevent forbidden emoji

Add validation for emoji received through notifications to ensure
participants cannot send forbidden emoji characters. Improves security
by filtering potentially problematic content before display.

src/frontend/src/features/notifications/MainNotificationToast.tsx

@@ -7,7 +7,10 @@ import { NotificationDuration } from './NotificationDuration'
 import { Div } from '@/primitives'
 import { ChatMessage, isMobileBrowser } from '@livekit/components-core'
 import { useNotificationSound } from '@/features/notifications/hooks/useSoundNotification'
-import { Reaction } from '@/features/rooms/livekit/components/controls/ReactionsToggle'
+import {
+  EMOJIS,
+  Reaction,
+} from '@/features/rooms/livekit/components/controls/ReactionsToggle'
 import {
   ANIMATION_DURATION,
   ReactionPortals,
@@ -44,7 +47,7 @@ export const MainNotificationToast = () => {
   }, [room, triggerNotificationSound])
 
   const handleEmoji = (emoji: string, participant: Participant) => {
-    if (!emoji) return
+    if (!emoji || !EMOJIS.includes(emoji)) return
     const id = instanceIdRef.current++
     setReactions((prev) => [
       ...prev,

src/frontend/src/features/rooms/livekit/components/controls/ReactionsToggle.tsx

@@ -13,7 +13,8 @@ import {
 import { Toolbar as RACToolbar } from 'react-aria-components'
 import { Participant } from 'livekit-client'
 
-const EMOJIS = ['👍', '👎', '👏', '❤️', '😂', '😮', '🎉']
+// eslint-disable-next-line react-refresh/only-export-components
+export const EMOJIS = ['👍', '👎', '👏', '❤️', '😂', '😮', '🎉']
 
 export interface Reaction {
   id: number
@@ -144,7 +145,6 @@ export const ReactionsToggle = () => {
           </div>
         )}
       </div>
-
       <ReactionPortals reactions={reactions} />
     </>
   )