feat: Roadmap #85
feat: Roadmap #85
Conversation
feat: Roadmaps
Setup Supabase SSR
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the ✨ Finishing touches🧪 Generate unit tests
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Add audit logs for roadmaps
| href={`${getPageUrl(page, settings)}/roadmap/${ | ||
| boardForm.slug | ||
| }`} |
Check warning
Code scanning / CodeQL
DOM text reinterpreted as HTML Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 2 months ago
How to fix (in general terms):
Sanitize the user input used to construct URLs to ensure it does not contain dangerous or unexpected characters. Always encode or restrict such values so that generated links cannot contain JavaScript, extra slashes, or HTML characters.
Detailed fix (for this file):
- Ensure
boardForm.slugis a clean, "slug-safe" string before using it in the URL. - Best way: Sanitize the slug value right before rendering, even if upstream validation exists.
- For visible text, React will escape text automatically; for
href, ensure the interpolated slug cannot break out of the intended URL context (e.g., by starting with//,/, orjavascript:). - In this case, implement a simple "escapeSlug" function to sanitize, and use it everywhere
boardForm.slugis interpolated in a URL. - Optionally, if
validateSlug()is robust and restrictions are checked on every input, one could reuse thegenerateSlugFromTitlelogic or defensively replace non-slug characters just before rendering.
Specific changes:
- In
apps/web/pages/pages/[page_id]/roadmap/[board_id]/settings.tsx:- Add an
escapeSlugfunction (if not already present) that matches the slug rules (e.g., alphanumeric and hyphens only). - In the JSX where the slug is used, replace
{boardForm.slug}with{escapeSlug(boardForm.slug)}in bothhrefand visible text to ensure only safe characters are used in the link.
- Add an
Needed:
- Method:
escapeSlug(definition in the component scope). - Imports: none (unless we want to use e.g., lodash's
kebabCase, but a custom function is simple here). - Usage: Replace direct slug interpolation with
escapeSlug(boardForm.slug)in all relevant places.
| @@ -105,6 +105,15 @@ | ||
| categories, | ||
| initialTab, | ||
| }: InferGetServerSidePropsType<typeof getServerSideProps>) { | ||
| // Ensure the slug is strictly alphanumeric-hyphen for safety | ||
| function escapeSlug(slug: string): string { | ||
| return (slug || "") | ||
| .toLowerCase() | ||
| .replace(/[^a-z0-9-]/g, "") | ||
| .replace(/-+/g, "-") // collapse multiple hyphens | ||
| .replace(/^-|-$/g, ""); // trim hyphens from ends | ||
| } | ||
|
|
||
| const router = useRouter(); | ||
| const { supabase, user } = useUserData(); | ||
| const { settings: clientSettings } = usePageSettings(page_id, false); | ||
| @@ -759,13 +768,13 @@ | ||
| Public URL:{" "} | ||
| <a | ||
| href={`${getPageUrl(page, settings)}/roadmap/${ | ||
| boardForm.slug | ||
| escapeSlug(boardForm.slug) | ||
| }`} | ||
| target="_blank" | ||
| rel="noopener noreferrer" | ||
| className="text-indigo-600 dark:text-indigo-400 hover:text-indigo-500 dark:hover:text-indigo-300 underline" | ||
| > | ||
| {getPageUrl(page, settings)}/roadmap/{boardForm.slug} | ||
| {getPageUrl(page, settings)}/roadmap/{escapeSlug(boardForm.slug)} | ||
| </a> | ||
| </p> | ||
| {boardForm.is_public && ( |
Add support for deleting roadmap board
No description provided.