fix: address Copilot PR review suggestions#3
Open
LLOKAI wants to merge 1 commit into
Open
Conversation
LLOKAI
commented
Feb 13, 2026
LLOKAI
commented
Owner
- words.py: replace f-string SQL interpolation with CASE expression to prevent SQL injection pattern
- audio.py: add path traversal protection with resolve() + parent check
- topic.js: use textContent instead of innerHTML for translation display
- app.js: use createElement/textContent instead of innerHTML for category cards
- SCORING.md: fix line number references and remove approximate line refs
- words.py: replace f-string SQL interpolation with CASE expression to prevent SQL injection pattern - audio.py: add path traversal protection with resolve() + parent check - topic.js: use textContent instead of innerHTML for translation display - app.js: use createElement/textContent instead of innerHTML for category cards - SCORING.md: fix line number references and remove approximate line refs
There was a problem hiding this comment.
Pull request overview
This PR addresses prior security and correctness review feedback across the frontend and backend by removing unsafe HTML/SQL patterns, adding path traversal protection, and correcting scoring documentation references.
Changes:
- Frontend: replace
innerHTMLusage with safertextContent/DOM node construction for translations and category cards. - Backend: remove dynamic SQL column interpolation by selecting translations via a parameterized
CASEexpression. - Backend: harden audio file serving against path traversal via
resolve()+ base-directory containment checks, and update SCORING.md references.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| topic.js | Switch translation display from innerHTML to textContent to avoid HTML injection. |
| app.js | Render category cards with DOM APIs instead of innerHTML to avoid HTML injection patterns. |
| backend/app/routes/words.py | Parameterize language selection via SQL CASE instead of interpolating a column name. |
| backend/app/routes/audio.py | Add resolved-path containment checks to prevent path traversal when streaming audio. |
| backend/SCORING.md | Adjust line references and remove approximate line numbers in tuning reference sections. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| ### A. Feature weights | ||
|
|
||
| **File:** `feature_comparator.py`, lines 14–20 | ||
| **File:** `feature_comparator.py`, lines 13–19 |
There was a problem hiding this comment.
This reference points to feature_comparator.py, but the actual module in this repo appears to be backend/app/services/feature_comparator.py (consistent with earlier sections of this doc). Update the path here to avoid sending readers to a non-existent file name.
Suggested change
| **File:** `feature_comparator.py`, lines 13–19 | |
| **File:** `backend/app/services/feature_comparator.py`, lines 13–19 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.