slices.network / tools
Tools for the Atmosphere tools.slices.network
quickslice atproto html
fork atom
tools / TODO.md
at main 3.1 kB view raw view code

TODO#

Lexicon Publisher#

Remaining issues from code review (2025-12-23).

Important#

CSP unsafe-inline vulnerability#

lexicon-publisher.html:7-9

The CSP includes 'unsafe-inline' for both scripts and styles, which defeats much of the purpose of having a CSP. Requires major refactor to move inline scripts/styles to external files or use nonces.

Pin quickslice to specific version#

lexicon-publisher.html:777

Currently using @main branch which can change at any time. Pin to a specific commit or tag and add SRI integrity attribute.

Validate DNS lookup inputs#

lexicon-publisher.html:1802-1812

The resolveDNS() function directly uses user-controlled domain names without validation. Should validate domain names against RFC standards before DNS lookup.

Full re-render performance#

lexicon-publisher.html

renderAllSteps() rebuilds the entire UI on every state change, losing focus/scroll position. Consider targeted updates for specific UI sections.

Accessibility improvements#

lexicon-publisher.html

  • Add role="progressbar" or role="tablist" for wizard
  • Add aria-label to buttons with only icons
  • Add aria-live regions for status messages
  • Add aria-expanded for collapsible sections
  • Make step headers keyboard navigable
  • Add escape key handler for dialogs

Medium#

escapeAttr() missing single quote escape#

lexicon-publisher.html:940

Add .replace(/'/g, "'") to prevent attribute injection with single quotes.

Domain extraction edge cases#

lexicon-publisher.html:1672-1698

getUserDomain() assumes all domains are TLD + SLD (e.g., example.com). Fails for country-code TLDs like .co.uk. Consider using a public suffix list.

No file count limit in ZIP#

lexicon-publisher.html:2044-2051

While there's a check for zero files, there's no upper limit. A ZIP with thousands of files could freeze the browser. Add reasonable limit (e.g., 100 files).

Clipboard API fallback#

lexicon-publisher.html:1836-1840

No user feedback on success/failure and no fallback for older browsers. Add toast notification and document.execCommand('copy') fallback.

OAuth callback race condition#

lexicon-publisher.html:2130-2146

If handleRedirectCallback() fails, the URL still has ?code=... but history is only replaced on success. Move window.history.replaceState() to a finally block.

Low Priority#

Split into multiple files#

lexicon-publisher.html (2200+ lines)

Consider splitting into separate HTML, CSS, and JS files for maintainability. This would also help solve the CSP unsafe-inline issue.

Add lexicon preview#

Users can't see what a lexicon defines without reading JSON. Add human-readable schema preview.

Add export functionality#

Users can upload ZIPs but can't download their lexicons. Add "Export as ZIP" feature.

Add schema templates#

Provide multiple templates: record, query, procedure, subscription.

Real-time validation#

Add debounced validation as users type instead of only on "Continue to Publish".