Skip to content

Address PR #5 review: tighten validator and template#6

Merged
SunnyDevendranadh merged 1 commit into
mainfrom
claude/bloom-design-improvements-RylGV
May 15, 2026
Merged

Address PR #5 review: tighten validator and template#6
SunnyDevendranadh merged 1 commit into
mainfrom
claude/bloom-design-improvements-RylGV

Conversation

@SunnyDevendranadh
Copy link
Copy Markdown
Owner

@SunnyDevendranadh SunnyDevendranadh commented May 15, 2026

Addresses the 5 minor issues from the code review:

  • no-external-deps: detect dynamic import() via lookbehind; scope ESM import/export to <script> blocks. Lookbehind fixes a line-number off-by-one when the prefix newline was being captured.
  • no-hardcoded-hex: mask url(...) contents and quoted strings before scanning, so URL fragments like icon-3f4a2b.png or #abc123 no longer false-positive as colors.
  • security-hardening: rewrite the innerHTML check to capture the RHS and inspect it programmatically. Now correctly:
    • passes static string literals ("..." or '...')
    • passes backtick templates without interpolation
    • flags template literals containing ${ ... }
    • flags bare variable assignments Error message distinguishes "template literal with interpolation" from "non-literal expression".
  • tests: add explicit "zero issues" assertion for valid.html; add new valid-with-urls.html fixture covering hex-like strings inside url() / quotes; extend security fixture with template-literal cases.
  • status-report-v2.html: replace orphan anchors with — same styling, no broken links.

@claude
Address PR #5 review: tighten validator and template
11803b9 
Addresses the 5 minor issues from the code review:

- no-external-deps: detect dynamic import() via lookbehind; scope ESM
  import/export to <script> blocks. Lookbehind fixes a line-number
  off-by-one when the prefix newline was being captured.
- no-hardcoded-hex: mask url(...) contents and quoted strings before
  scanning, so URL fragments like icon-3f4a2b.png or #abc123 no longer
  false-positive as colors.
- security-hardening: rewrite the innerHTML check to capture the RHS
  and inspect it programmatically. Now correctly:
    - passes static string literals ("..." or '...')
    - passes backtick templates without interpolation
    - flags template literals containing ${ ... }
    - flags bare variable assignments
  Error message distinguishes "template literal with interpolation"
  from "non-literal expression".
- tests: add explicit "zero issues" assertion for valid.html; add
  new valid-with-urls.html fixture covering hex-like strings inside
  url() / quotes; extend security fixture with template-literal cases.
- status-report-v2.html: replace orphan <a href="#pr-NNNN"> anchors
  with <span class="pr-link"> — same styling, no broken links.
@SunnyDevendranadh SunnyDevendranadh merged commit 035636d into main May 15, 2026
@SunnyDevendranadh SunnyDevendranadh deleted the claude/bloom-design-improvements-RylGV branch May 19, 2026 14:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@SunnyDevendranadh @claude