fix(tradein-frontend): safeUrl validator, apiFetch dedup, ListingsCard a11y, error boundary #512
No reviewers
Labels
No labels
admin
analytics
auth
automation
bug
business
chore
ci
compliance
data
data-moat
docs
duplicate
dx
enhancement
Fable 5 ревью
feedback/max
generative
GG-форсайт
needs-discussion
needs-human
observability
pause-bots
performance
priority/p0
priority/p1
priority/p2
priority/p3
scope/backend
scope/db
scope/devops
scope/frontend
scope/qa
scrapers
security
site-finder
stage/1
stage/2
status/blocked
status/done
status/needs-analysis
status/needs-fix
status/qa
status/ready
status/review
status/wip
tech-debt
tradein
ux
week ревью 1
wontfix
вторичка
ИРД
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: lekss361/gendesign#512
Loading…
Add table
Reference in a new issue
No description provided.
Delete branch "feat/tradein-frontend-security-a11y"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Summary
Four security/UX fixes from 2026-05-24 trade-in audit:
lib/safeUrl.ts(new): validate external URLs vianew URL(), reject non-http(s)schemes. Backend supplieslot.source_urlverbatim from scraped sites —javascript:/data:/file:would have executed on click.lib/api.ts: refactorapiFetchto delegate toapiFetchWithStatus(which already had the correct read-body-once pattern). Drops the body-stream-twice anti-pattern; both functions retain their signatures.components/trade-in/ListingsCard.tsx: drop<tr onClick={...}>(not keyboard accessible), keep the inline<a>as the only interactive element, gatehrefthroughsafeUrl().app/error.tsx(new): Next 15 App Router route-segment error boundary. Prevents white-screen on component crash; renders Russian error UI with reset button + error.digest for tracing.Scope-cuts vs original audit
lib/sessionId.ts:11(native + Math.random fallback for HTTP). No change needed.DealsCard.tsx/IMVBenchmark.tsx— neither renders user-supplied URLs (DealsCard has no<a>, IMVBenchmark links to a hardcodedavito.rudomain).safeUrl()is reusable for future components.safeUrl smoke (from worker)
Test plan
lot.source_url = "javascript:alert(1)"via DevTools mutation of TanStack Query cache; verify<a>is not rendered (href would be null).error.tsxrenders with reset button instead of white screen.<a>row-link receives focus, Enter opens the external listing in new tab.apiFetch<T>throwsHTTPErrorwith parsed-or-fallback body (no "body stream already read" exception).Deep Code Review — verdict
Summary
0767fb74· head sha5bd9c2fSecurity 🔒
lib/safeUrl.ts— WHATWGURLparser + stricthttp:/https:allowlist. Correctly blocksjavascript:/data:/vbscript:/file:/ftp:/custom schemes. Type guardtypeof raw !== "string"defends against runtime non-string mutation (TanStack cache poisoning, backend type drift).u.toString()returns WHATWG-canonical form — prevents smuggling via backslash mixing.ListingsCard.tsx—rel="noopener noreferrer"retained,<tr onClick>removed (was keyboard-inaccessible), inline<a>becomes sole interactive element. Tab+Enter UX restored.error.tsx—error.digestinterpolated via React JSX (auto-escaped). No DOM injection vector.IDN homograph (intentional non-blocker)
new URL()accepts Cyrillic/IDN hostnames — by design. Blocking IDN at the validator would break legitimate scraped listings from РФ sites (entire product domain). XSS execution requires scheme, not hostname; IDN homograph is a phishing concern, not script execution. Correct scope cut for this PR.Correctness 🎯
apiFetchnow delegates toapiFetchWithStatus. Behavior change: throwsHTTPError extends Error(carries.status+.body) instead of plainError. All consumers inlib/trade-in-api.tsare TanStack Query hooks treating errors as opaqueError— fully backward-compatible.apiFetchhad "body-stream-twice" bug — actually the old code only read the body once per call path (.text()in error,.json()on success — never both in same call). The refactor is still net-positive: DRY, single error-handling path, richer thrown errors. Just want to flag the description nuance for the record.error.tsxmatches Next 15 App Routererror.tsxcontract ("use client",{error, reset}props,useEffectfor logging).Performance ⚡
No regression.
new URL()perAnalogRowrender is negligible.Vault cross-check 📚
decisions/Decision_TradeIn_DataQuality_8PR_Roadmap(findings #3/#7/#8/#16 from 2026-05-24 audit — explicitly enumerated in PR body).safeUrlnaming precedent fromold/fixes/Bug_RenderMarkdown_JavascriptUrl_May14. Allowlist is narrower (nomailto:///#) — correct for scraped external listing URLs, not user markdown.Tests 🧪
No automated tests added;
tradein-mvp/frontend/has no existing test infra. PR includes manual smoke results + 4-item test-plan checklist. Acceptable for scope per project conventions.Positive
safeUrlis reusable for future scraped-URL surfaces (DealsCard/IMVBenchmark called out in PR body as future consumers).error.tsxuses inline styles + CSS vars — renders even if Tailwind fails to hydrate, which is what you want from an error boundary.Complexity / blast radius