Fix bug

[Kathyayani-15]

📌 Fixes

Fixes # (Use "Fixes", "Closes", or "Resolves" for automatic closing)

---

📝 Summary of Changes

Disabled the Generate Report button by default.

Added real-time validation for:

GitHub username (must not be empty)

Date range (From date must be ≤ To date)

The button is enabled only when all required fields are valid.

Prevents empty/invalid report generation and improves overall UX.

---

📸 Screenshots / Demo (if UI-related)

---

✅ Checklist

• I’ve tested my changes locally
• I’ve added tests (if applicable)
• I’ve updated documentation (if applicable)
• My code follows the project’s code style guidelines

---

👀 Reviewer Notes

The validation logic is implemented in popup.js using event listeners on username and date inputs.
No existing report-generation logic was modified — only button enable/disable behavior was added to improve UX and prevent invalid submissions.

Summary by Sourcery

Add input validation and token checks before allowing report generation from the popup.

New Features:

• Disable the Generate Report button by default and enable it only when username and date range inputs are valid.
• Show an inline warning and navigation button when a GitHub token is missing before attempting to fetch report data.

Enhancements:

• Introduce real-time form validation for username and date range fields in the popup to prevent invalid report generation.
• Wire the Generate Report button to a dedicated report-generation handler that uses stored GitHub tokens and existing fetch/render logic.
• Add a dedicated report container element in the popup layout for rendering report content and error messages.

[sourcery-ai]

Reviewer's Guide

Implements front-end validation and UX safeguards around report generation by disabling the Generate Report button until username and date inputs are valid, wiring a dedicated generateReport handler that checks for a stored GitHub token before fetching data, and updating the popup markup to support the new behavior and output container.

Sequence diagram for generateReport flow with token check and validation

sequenceDiagram
  actor User
  participant Popup as PopupUI
  participant Script as popup_js
  participant Storage as chrome_storage_local
  participant GitHub as GitHub_API

  User->>Popup: Open_popup
  Popup->>Script: DOMContentLoaded
  Script->>Popup: applyI18n
  Script->>Popup: Set_generateReport_disabled_true
  Script->>Popup: Attach_input_listeners

  User->>Popup: Type_username
  Popup->>Script: username_input_event
  Script->>Script: validateForm
  Script->>Popup: Enable_or_disable_generateReport

  User->>Popup: Select_from_and_to_dates
  Popup->>Script: date_change_events
  Script->>Script: validateForm
  Script->>Popup: Enable_generateReport_when_valid

  User->>Popup: Click_generateReport
  Popup->>Script: generateReport
  Script->>Storage: get github_token
  Storage-->>Script: github_token_or_null

  alt No_token_present
    Script->>Popup: Render_token_warning_in_report_container
    User->>Popup: Click_add_token_button
    Popup->>Popup: Navigate_to_settings_html
  else Token_present
    Script->>GitHub: fetchGitHubData(token)
    GitHub-->>Script: data_or_error
    alt Fetch_success
      Script->>Popup: renderReport
    else Fetch_error
      Script->>Popup: Show_error_message_in_report_container
    end
  end

Loading

File-Level Changes

Change	Details	Files
Add client-side validation to control when the Generate Report button becomes enabled.	Initialize references to username, from-date, to-date inputs and the generate button on DOMContentLoaded. Implement validateForm() to ensure username is non-empty, both dates are provided, and from date is not after to date. Attach input/change event listeners on the username and date fields to re-run validation and toggle the button’s disabled state.	src/scripts/popup.js
Introduce a report generation flow that checks for a GitHub token before calling existing data-fetching logic.	Define generateReport() to read github_token from chrome.storage.local and short-circuit if the token is missing. Render a warning block with an action button that navigates to settings.html when no token is present. On successful token retrieval, call fetchGitHubData(token), then renderReport, and handle errors by displaying an inline error message. Attach a click listener to the generate-report button that invokes generateReport().	src/scripts/popup.js
Update popup markup to default-disable the Generate Report button and provide a container for report output.	Mark the Generate Report button as disabled by default so it only becomes clickable when validation passes. Add a report-container div to host token warnings, error messages, and generated report content.	src/popup.html

Possibly linked issues

• #: PR implements disabled-by-default button and validation for username and date range exactly as requested in issue
• #N/A: PR adds the no-token warning, explanation, and Add GitHub Token navigation flow exactly as the issue requests.

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've found 2 security issues, 1 other issue, and left some high level feedback:

Security issues:

• User controlled data in methods like innerHTML, outerHTML or document.write is an anti-pattern that can lead to XSS vulnerabilities (link)
• User controlled data in a container.innerHTML is an anti-pattern that can lead to XSS vulnerabilities (link)

General comments:

• The new generateReport handler is wired to document.getElementById('generate-report-btn'), but the button in popup.html uses the id="generateReport", so the click listener will never be attached—these IDs should be made consistent.
• The generateReport function appears to reimplement report-generation and error rendering logic; consider reusing or refactoring any existing report-generation code to avoid duplication and keep behavior in one place.
• The #report-container div is appended at the very end of popup.html after all scripts, which may not be the intended UX location for error and token messages; it might be clearer to place this container near the report controls so the feedback appears contextually where the user interacts.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The new `generateReport` handler is wired to `document.getElementById('generate-report-btn')`, but the button in `popup.html` uses the `id="generateReport"`, so the click listener will never be attached—these IDs should be made consistent.
- The `generateReport` function appears to reimplement report-generation and error rendering logic; consider reusing or refactoring any existing report-generation code to avoid duplication and keep behavior in one place.
- The `#report-container` div is appended at the very end of `popup.html` after all scripts, which may not be the intended UX location for error and token messages; it might be clearer to place this container near the report controls so the feedback appears contextually where the user interacts.

## Individual Comments

### Comment 1
<location path="src/scripts/popup.js" line_range="74-79" />
<code_context>
+        generateBtn.disabled = !isValid;
+    }
+
+    // Attach listeners
+    usernameInput.addEventListener("input", validateForm);
+    fromDateInput.addEventListener("change", validateForm);
+    toDateInput.addEventListener("change", validateForm);
 	// Dark mode setup
 	const darkModeToggle = document.querySelector('img[alt="Night Mode"]');
</code_context>
<issue_to_address>
**suggestion (bug_risk):** Consider invoking `validateForm` once on load to ensure the disabled state matches any prefilled values.

Because the button is only toggled in response to `input`/`change` events, any prefilled or autofilled values won’t update its state and it may stay disabled until the user edits a field. Calling `validateForm()` once after registering the listeners will align the initial button state with the current field values.

```suggestion
    // Attach listeners
    usernameInput.addEventListener("input", validateForm);
    fromDateInput.addEventListener("change", validateForm);
    toDateInput.addEventListener("change", validateForm);

    // Initialize button state based on any prefilled/autofilled values
    validateForm();

	// Dark mode setup
	const darkModeToggle = document.querySelector('img[alt="Night Mode"]');
```
</issue_to_address>

### Comment 2
<location path="src/scripts/popup.js" line_range="232" />
<code_context>
                container.innerHTML = `<p style="color:red;">Error fetching data: ${err.message}</p>`;
</code_context>
<issue_to_address>
**security (javascript.browser.security.insecure-document-method):** User controlled data in methods like `innerHTML`, `outerHTML` or `document.write` is an anti-pattern that can lead to XSS vulnerabilities

*Source: opengrep*
</issue_to_address>

### Comment 3
<location path="src/scripts/popup.js" line_range="232" />
<code_context>
                container.innerHTML = `<p style="color:red;">Error fetching data: ${err.message}</p>`;
</code_context>
<issue_to_address>
**security (javascript.browser.security.insecure-innerhtml):** User controlled data in a `container.innerHTML` is an anti-pattern that can lead to XSS vulnerabilities

*Source: opengrep*
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

suggestion (bug_risk): Consider invoking validateForm once on load to ensure the disabled state matches any prefilled values.

Because the button is only toggled in response to input/change events, any prefilled or autofilled values won’t update its state and it may stay disabled until the user edits a field. Calling validateForm() once after registering the listeners will align the initial button state with the current field values.

Suggested change

	// Attach listeners
	usernameInput.addEventListener("input", validateForm);
	fromDateInput.addEventListener("change", validateForm);
	toDateInput.addEventListener("change", validateForm);
	// Dark mode setup
	const darkModeToggle = document.querySelector('img[alt="Night Mode"]');
	// Attach listeners
	usernameInput.addEventListener("input", validateForm);
	fromDateInput.addEventListener("change", validateForm);
	toDateInput.addEventListener("change", validateForm);
	// Initialize button state based on any prefilled/autofilled values
	validateForm();
	// Dark mode setup
	const darkModeToggle = document.querySelector('img[alt="Night Mode"]');

[sourcery-ai]

security (javascript.browser.security.insecure-document-method): User controlled data in methods like innerHTML, outerHTML or document.write is an anti-pattern that can lead to XSS vulnerabilities

Source: opengrep

[sourcery-ai]

security (javascript.browser.security.insecure-innerhtml): User controlled data in a container.innerHTML is an anti-pattern that can lead to XSS vulnerabilities

Source: opengrep

[Mateeb-Haider]

@Kathyayani-15
This issue has already been resolved in #332. Could you please close this PR to avoid duplication?
Kindly check for existing related PRs/issues before submitting new ones to prevent overlapping work.
Thanku!

[vedansh-5]

Thanks @Kathyayani-15 for your contribution.

This bug is already being addressed in #332, so I’m closing this PR to avoid duplication. We don’t want contributors spending effort on issues that are already in progress or resolved.

Please feel free to pick up another issue from the issues list and continue contributing.