|
| 1 | +--- |
| 2 | +name: code-review-guidelines |
| 3 | +description: > |
| 4 | + Applies accumulated project-specific codebase review rules and best practices. |
| 5 | + Use when generating, refactoring, or reviewing frontend HTML, rendering logic, or Python generation scripts (like generate_index.py). |
| 6 | +--- |
| 7 | + |
| 8 | +# Code Review Guidelines Skill |
| 9 | + |
| 10 | +## Goal |
| 11 | + |
| 12 | +To maintain security, robustness, idempotency, and technical accuracy across the project's frontend and generator code, based on accumulated review feedback. |
| 13 | + |
| 14 | +## Instructions |
| 15 | + |
| 16 | +Whenever you write, refactor, or review code for this project, you **MUST** ensure the following rules are met: |
| 17 | + |
| 18 | +### 1. Security & XSS Prevention |
| 19 | + |
| 20 | +- Never use `innerHTML` in templates or frontend JavaScript. Always use `textContent` and DOM APIs. |
| 21 | +- When embedding variables into HTML attributes (e.g., `href`, `class`) or text from backend/generator scripts (like `generate_index.py`), you **MUST** escape them using native escaping functions (e.g., `html.escape(..., quote=True)` in Python). |
| 22 | + |
| 23 | +### 2. Asset Management & CDN Links |
| 24 | + |
| 25 | +- **Regex Replacing:** When rewriting CDN URLs to local `/vendor/...` paths, use robust regex patterns (e.g., matching `@<version>` segments) rather than literal string replacements. |
| 26 | +- **SRI Stripping:** If an asset link is changed from an external CDN to a local `/vendor/` path, you **MUST** strip any `integrity="..."` and `crossorigin="..."` attributes from the corresponding `<script>` or `<link>` tags to prevent the browser from blocking the local file due to hash mismatch. |
| 27 | + |
| 28 | +### 3. Rendering Robustness (PrismJS & UI) |
| 29 | + |
| 30 | +- Do not rely on brittle `setTimeout` delays to wait for the DOM or dynamic content to render. |
| 31 | +- **High-Performance Scheduling:** Use `requestIdleCallback` (with a `requestAnimationFrame` and `setTimeout` fallback for Safari/older browsers) to trigger UI updates like `Prism.highlightAll()`. |
| 32 | +- **Dynamic Content Observation:** Attach a `MutationObserver` to re-trigger highlighting or UI updates automatically when new elements are injected into the DOM. |
| 33 | + |
| 34 | +### 4. Data Handling & Idempotency |
| 35 | + |
| 36 | +- **UI Data Types:** Use the correct native data types in source data (e.g., use the primitive `null` instead of the string `"NULL"` in JSON/JS objects). Convert them to display strings (like `"NULL"`) _only_ at the rendering/display layer. |
| 37 | +- **Idempotency:** When appending labels, suffixes, or classes (e.g., appending " (detailed)" to a title), check if the string is already present before appending it to avoid duplicates. |
| 38 | + |
| 39 | +### 5. Technical Accuracy |
| 40 | + |
| 41 | +- Ensure that technical explanations in learning materials (e.g., `README.html`) are precise and accurately reflect the differences between tools. |
| 42 | +- _Example:_ SQL `GROUP BY` treats `NULL` values as a single group, whereas `pandas.groupby` explicitly drops `NA` keys by default (`dropna=True`). |
| 43 | + |
| 44 | +## Examples |
| 45 | + |
| 46 | +### XSS Prevention in Python |
| 47 | + |
| 48 | +**Input:** Outputting an encoded path to an href attribute. |
| 49 | +**Output:** |
| 50 | + |
| 51 | +```python |
| 52 | +# GOOD |
| 53 | +safe_encoded_path = html.escape(urllib.parse.quote(path), quote=True) |
| 54 | +html_str = f'<a href="{safe_encoded_path}">' |
| 55 | + |
| 56 | +# BAD |
| 57 | +html_str = f'<a href="{urllib.parse.quote(path)}">' |
| 58 | +``` |
| 59 | + |
| 60 | +### Robust Rendering in JavaScript |
| 61 | + |
| 62 | +**Input:** Triggering Prism highlighting after React renders. |
| 63 | +**Output:** |
| 64 | + |
| 65 | +```javascript |
| 66 | +// GOOD |
| 67 | +const scheduleHighlight = () => { |
| 68 | + const highlight = () => { |
| 69 | + if (window.Prism) { |
| 70 | + Prism.highlightAll(); |
| 71 | + } |
| 72 | + }; |
| 73 | + if (window.requestIdleCallback) { |
| 74 | + requestIdleCallback(highlight, { timeout: 1000 }); |
| 75 | + } else { |
| 76 | + requestAnimationFrame(() => setTimeout(highlight, 0)); |
| 77 | + } |
| 78 | +}; |
| 79 | + |
| 80 | +const observer = new MutationObserver((mutations) => { |
| 81 | + if (mutations.some((m) => m.addedNodes.length > 0)) { |
| 82 | + scheduleHighlight(); |
| 83 | + } |
| 84 | +}); |
| 85 | +observer.observe(document.getElementById('root'), { childList: true, subtree: true }); |
| 86 | +scheduleHighlight(); |
| 87 | +``` |
| 88 | + |
| 89 | +## Constraints |
| 90 | + |
| 91 | +- Do not bypass security validations for the sake of brevity. |
| 92 | +- Do not add external library dependencies to solve these issues; use native browser/language features (e.g., vanilla JS `MutationObserver`, standard lib `html`). |
0 commit comments