chore: remove resolved plan for JSON attribute escaping

This commit is contained in:
2026-06-26 23:41:04 +02:00
parent 07eae2d971
commit 34d2b37e94
4 changed files with 137 additions and 70 deletions

View File

@@ -1,32 +0,0 @@
---
finding: "Fix broken Go lint baseline"
catalog: "DX / Tooling"
impact: "The documented full verification gate cannot pass because Go lint currently fails."
base_commit: "0d31d46"
---
## Effort
S - one focused refactor plus verification.
## Risk
LOW - the change should preserve behavior and only reduce function complexity.
## Confidence
HIGH - `bun run lint:go` fails reproducibly on one function.
## Evidence
- `internal/observability/fx.go:22` defines `describeFXEventError` with a large type switch.
- `bun run lint:go` reports `cyclop`: calculated cyclomatic complexity is 11, max is 10.
- `justfile:40` defines `check` as `lint test typecheck build`, so this failure breaks `just check`.
## Resolution Approach
Refactor `describeFXEventError` without changing the log events it emits. Keep the same public behavior: `LogEvent` should call `describeFXEventError`, ignore events with no error, and log failed Fx lifecycle events with the same event names and field maps.
A small, safe approach is to split the switch into narrower helpers, for example one helper for constructor/invoke/run failures and one helper for lifecycle/start/stop/rollback failures. Another acceptable approach is to use small typed helper functions for repeated return shapes. Do not suppress the linter unless a refactor proves impossible.
Add or update tests if existing tests cover Fx event descriptions. Verify with `bun run lint:go`, then run `go test ./...`. After this lands, `just check` should be able to proceed past Go lint.

View File

@@ -1,35 +0,0 @@
---
finding: "Stop marking JSON attributes as trusted HTML"
catalog: "Security"
impact: "Provider-controlled strings can break quoted data attributes on the watch page, creating an HTML injection risk."
base_commit: "0d31d46"
---
## Effort
S - localized template helper and tests.
## Risk
LOW - the intended behavior is still to serialize data for client-side parsing, but escaping must be handled by `html/template`.
## Confidence
HIGH - the current helper explicitly bypasses contextual escaping.
## Evidence
- `templates/funcs.go:37-42` marshals JSON and returns `template.HTMLAttr`.
- `templates/renderer.go:46-50` registers the helper as `json`.
- `templates/components/video_player.gohtml:10-12` embeds JSON inside single-quoted `data-*` attributes.
- `internal/playback/watch_data.go:181-188` copies provider subtitle labels into that serialized payload.
## Resolution Approach
Change the JSON serialization path so marshaled JSON is not marked as trusted `template.HTMLAttr`. Let `html/template` perform contextual escaping, or move larger JSON payloads into `<script type="application/json">` blocks where the template engine can safely escape script content.
The executor should preserve the client contract used by `static/player/state.ts`: the player still needs to read mode sources, available modes, and skip segments from the rendered page. If the storage location changes from `data-*` attributes to JSON script tags, update the parser in one place and add tests around that parser.
Add a template or renderer test that renders a watch-page-like payload containing apostrophes, double quotes, angle brackets, and ampersands in provider-controlled fields such as subtitle labels. The test should assert the rendered HTML does not create new attributes or tags and that the browser-side parser can recover the original data.
Verify with `go test ./templates ./internal/playback/...`, `bunx tsc -p tsconfig.json --noEmit`, and `bun test`.