Tools for the Atmosphere
tools.slices.network
slices.network
quickslice
atproto
html
1# TODO
2
3## Lexicon Publisher
4
5Remaining issues from code review (2025-12-23).
6
7### Important
8
9#### CSP `unsafe-inline` vulnerability
10**lexicon-publisher.html:7-9**
11
12The CSP includes `'unsafe-inline'` for both scripts and styles, which defeats much of the purpose of having a CSP. Requires major refactor to move inline scripts/styles to external files or use nonces.
13
14#### Pin quickslice to specific version
15**lexicon-publisher.html:777**
16
17Currently using `@main` branch which can change at any time. Pin to a specific commit or tag and add SRI integrity attribute.
18
19#### Validate DNS lookup inputs
20**lexicon-publisher.html:1802-1812**
21
22The `resolveDNS()` function directly uses user-controlled domain names without validation. Should validate domain names against RFC standards before DNS lookup.
23
24#### Full re-render performance
25**lexicon-publisher.html**
26
27`renderAllSteps()` rebuilds the entire UI on every state change, losing focus/scroll position. Consider targeted updates for specific UI sections.
28
29#### Accessibility improvements
30**lexicon-publisher.html**
31
32- Add `role="progressbar"` or `role="tablist"` for wizard
33- Add `aria-label` to buttons with only icons
34- Add `aria-live` regions for status messages
35- Add `aria-expanded` for collapsible sections
36- Make step headers keyboard navigable
37- Add escape key handler for dialogs
38
39### Medium
40
41#### `escapeAttr()` missing single quote escape
42**lexicon-publisher.html:940**
43
44Add `.replace(/'/g, "'")` to prevent attribute injection with single quotes.
45
46#### Domain extraction edge cases
47**lexicon-publisher.html:1672-1698**
48
49`getUserDomain()` assumes all domains are TLD + SLD (e.g., `example.com`). Fails for country-code TLDs like `.co.uk`. Consider using a public suffix list.
50
51#### No file count limit in ZIP
52**lexicon-publisher.html:2044-2051**
53
54While there's a check for zero files, there's no upper limit. A ZIP with thousands of files could freeze the browser. Add reasonable limit (e.g., 100 files).
55
56#### Clipboard API fallback
57**lexicon-publisher.html:1836-1840**
58
59No user feedback on success/failure and no fallback for older browsers. Add toast notification and `document.execCommand('copy')` fallback.
60
61#### OAuth callback race condition
62**lexicon-publisher.html:2130-2146**
63
64If `handleRedirectCallback()` fails, the URL still has `?code=...` but history is only replaced on success. Move `window.history.replaceState()` to a `finally` block.
65
66### Low Priority
67
68#### Split into multiple files
69**lexicon-publisher.html (2200+ lines)**
70
71Consider splitting into separate HTML, CSS, and JS files for maintainability. This would also help solve the CSP `unsafe-inline` issue.
72
73#### Add lexicon preview
74Users can't see what a lexicon defines without reading JSON. Add human-readable schema preview.
75
76#### Add export functionality
77Users can upload ZIPs but can't download their lexicons. Add "Export as ZIP" feature.
78
79#### Add schema templates
80Provide multiple templates: record, query, procedure, subscription.
81
82#### Real-time validation
83Add debounced validation as users type instead of only on "Continue to Publish".