ossf · david-a-wheeler · Jan 30, 2025 · Jan 30, 2025 · Jan 30, 2025 · Jan 30, 2025
diff --git a/docs/labs/argument-injection.js b/docs/labs/argument-injection.js
@@ -70,7 +70,7 @@ info =
     {
       present: String.raw`\) \) =>`,
       text: "The `exec` function should be closed in later lines, not here."
-    }
+    },
   ],
   expected: [
     `execFile('git', ['blame', '--', filePath], { shell: false }, (error, stdout, stderr) => {`
@@ -89,7 +89,7 @@ info =
       "    execFile('git', ['blame', '--', filePath], { shell: false }, (error, stdout, stderr) => {",
       "    execFile('git', ['blame', '--', filePath], (error, stdout, stderr) => {",
       "    execFile('git', ['blame', '--', filePath], {}, (error, stdout, stderr) => {"
-    ]
+    ],
   ],
   failures: [
     [
@@ -100,6 +100,6 @@ info =
     ],
     [
       "    execFile('git blame', [filePath], { shell: false }, (error, stdout, stderr) => {"
-    ]
-  ]
-}
+    ],
+  ],
+};
diff --git a/docs/labs/assert.js b/docs/labs/assert.js
@@ -6,14 +6,14 @@ info =
       text: "The whole point of this exercise is to NOT use `assert` as a way to validate input from untrusted users.",
       examples: [
         [ "assert !bindingResult.hasErrors();\n" ]
-      ]
+      ],
     },
     {
       absent: String.raw`^\s* if `,
       text: "Begin with `if` so you can return a result if there are errors.",
       examples: [
         [ "return \"form\";" ]
-      ]
+      ],
     },
     {
       present: "(bindingresult|BindingResult)",
@@ -28,14 +28,14 @@ info =
       text: "In Java, after the keyword `if` you must have an open left parenthesis. Conventionally there is one space between the `if` keyword and the open left parenthesis.",
       examples: [
         [ "if bindingResult.hasErrors" ]
-      ]
+      ],
     },
     {
       present: String.raw`^\s*if\s*\(\s*\!binding`,
       text: "You have an extraneous `!` (not operator). Use the expression if (bindingResult.hasErrors()) ...",
       examples: [
         [ "if (!bindingResult.hasErrors())" ]
-      ]
+      ],
     },
     {
       absent: String.raw`^ if \( bindingResult \. hasErrors \( \) \) `,
@@ -79,5 +79,5 @@ info =
     [ "if ( ! bindingResult . hasErrors ( ) ) { return \"form\" ; }\n" ],
     [ "if bindingResult . hasErrors ( ) { return \"form\" ; }\n" ],
     [ "if ( bindingResult . hasErrors ) { return \"form\" ; }\n" ],
-  ]
-}
+  ],
+};
diff --git a/docs/labs/commaize b/docs/labs/commaize
@@ -0,0 +1,21 @@
+#!/bin/sh
+# Add trailing commas and terminating semicolon to lab data files
+
+for file in [a-z]*.js
+do
+  # Skip checker, that has more than data in it.
+  if [ "$file" == 'checker.js' ]; then
+    continue
+  fi
+
+  # Skip anything that isn't a lab data file.
+  if ! grep -q 'info =' "$file"; then
+    continue
+  fi
+
+  htmlfile="${file%.js}.html"
+  echo "Modifying $file for $htmlfile"
+
+  sed -E -e 's/^( +(\]|\}))$/\1,/' -e '$s/^\}$/};/' "$file" > ,1
+  mv ,1 "$file"
+done
diff --git a/docs/labs/conversion.js b/docs/labs/conversion.js
@@ -8,12 +8,12 @@ info =
     {
       present: String.raw`unsigned\s+queue_count`,
       text: "The declared return type of get_queue is `unsigned int`; you should match it exactly instead of using a synonym like `unsigned`."
-    }
+    },
   ],
   expected: [
     'unsigned int queue_count = 0;'
   ],
   correct: [
     String.raw`^ unsigned\s+int\s+queue_count = 0 ; $`
   ],
-}
+};
diff --git a/docs/labs/create_checker.md b/docs/labs/create_checker.md
@@ -128,10 +128,11 @@ The basic inputs are:
 The number of attempt fields (in the HTML), the number of `expected` values,
 and the number of `correct` values much match.
 
-### JavaScript strings
+### JavaScript notation
 
-The lab data is expressed using JavaScript strings.
-There's more than one way to express a string in JavaScript, each
+The lab data is expressed using JavaScript, primarily as
+JavaScript strings.
+There's more than one way to express a string in JavaScript, and each
 has its advantages:
 
 * "..." - double-quoted string. You don't need to do anything special to
@@ -148,6 +149,15 @@ has its advantages:
   These are often useful for patterns.
   Use ${BACKQUOTE} for &#96; and ${DOLLAR} for $.
 
+JavaScript allows trailing commas, and we encourage using them.
+In other words,
+a list in JavaScript can have the form `[ 'a', 'b', 'c', ]`
+(note the trailing comma after `'c'`).
+Using trailing commas reduces the likelihood of
+a common error: forgetting to add a comma when you add an item to a list.
+Using trailing commas means that when you add a new item (`'d'`) at the end,
+you *already* have the comma ready for use.
+
 ### Expressing correct answer patterns
 
 The patterns used for `correct` and `hints`
@@ -299,6 +309,8 @@ Here's an explanation of this pattern:
    This that one of the following patterns is allowed:
    `'id'` or `"id"` or <tt>&#96;id&#96</tt> (and nothing else).
    Again, the space after it means 0+ spaces are allowed.
+   WARNING: If you use JavaScript raw strings or templates, you
+   need to escape the backquote (&#96;) character.
 
 5. The `\)` matches a literal close parenthesis,
    while `\.` matches a literal period.

diff --git a/docs/labs/csp1.js b/docs/labs/csp1.js
@@ -7,8 +7,8 @@ info =
       examples: [
         [
           "import express from \"express\";"
-        ]
-      ]
+        ],
+      ],
     },
     {
       absent: "const",
@@ -20,21 +20,21 @@ info =
       examples: [
         [ "const" ],
         [ "consthelmet = " ]
-      ]
+      ],
     },
     {
       present: String.raw`require \( helmet \)`,
       text: "The parameter of a requirement statement must be string. Surround the term helment with double-quotes.",
       examples: [
         [ "  const helmet = require(helmet);" ]
-      ]
+      ],
     },
     {
       absent: "; $",
       text: "JavaScript doesn''t require semicolon terminators, but the rest of the code uses them. You should try to match a coding style when modifying existing code unless there''s an important reason not to. Please update the first statment.",
       examples: [
         [ "  const helmet = require(\"helmet\")" ]
-      ]
+      ],
     },
     {
       absent: String.raw`\s* app \. use \( helmet \( \{`,
@@ -83,7 +83,7 @@ info =
     },
     {
       text: "I do not have more specific hints to provide. Please ensure that the parentheses, braces, and brackets pair correctly, as that is often the problem."
-    }
+    },
   ],
   expected: [
     'const helmet = require("helmet");',
@@ -93,7 +93,7 @@ info =
       "script-src": ["'self'", "https://example.com"],
       "style-src": ["'self'"]
     },
-  }
+  },
 }));`
   ],
   correct: [
@@ -107,4 +107,4 @@ info =
     \} ,?
   \} \) \) ; \s*`
   ],
-}
+};
diff --git a/docs/labs/deserialization.js b/docs/labs/deserialization.js
@@ -28,7 +28,7 @@ info =
     {
       term: "CONDALL",
       value: "(COND0 && (COND1 && COND2|COND2 && COND1))"
-    }
+    },
   ],
   hints: [
     {
@@ -61,8 +61,8 @@ info =
         [
           "const data = JSON.parse(base64Decoded);",
           "if data.username {\n"
-        ]
-      ]
+        ],
+      ],
     },
     {
       absent: String.raw`data \. username
@@ -100,9 +100,9 @@ info =
         [
           "const data = JSON.parse(base64Decoded);",
           "if (typeof data.username == 'string' && data.username.length < 20 && data.username) {"
-        ]
-      ]
-    }
+        ],
+      ],
+    },
   ],
   expected: [
     '  const data = JSON.parse(base64Decoded);',
@@ -128,12 +128,12 @@ info =
     [
       "const data = JSON.parse(base64Decoded);",
       "if (data.username && typeof data.username == 'string' && (data.username.length < 20)) {"
-    ]
+    ],
   ],
   failures: [
     [
       "const data = JSON.parse(base64Decoded);",
       "if (data.username && (typeof data.username == 'string')) && (data.username.length < 20)) {"
-    ]
-  ]
-}
+    ],
+  ],
+};
diff --git a/docs/labs/format-strings.js b/docs/labs/format-strings.js
@@ -22,7 +22,7 @@ info =
       absent: String.raw`\'\{event.level\},\{event.message\}\'
 `,
       text: "The constant text `'{event.level},{event.message}'` should be present."
-    }
+    },
   ],
   expected: [
     String.raw`def format_event(new_event):
@@ -31,4 +31,4 @@ info =
   correct: [
     String.raw`(\r?\n)*def\x20+format_event\x20*\( new_event \)\x20*:(\r?\n)\x20+return\x20+'{event\.level},{event\.message}'\x20*\.\x20*format\x20*\( event = new_event \) \s*`
   ],
-}
+};
diff --git a/docs/labs/free.js b/docs/labs/free.js
@@ -7,8 +7,8 @@ info =
       examples: [
         [
           "free(s);\nasprintf(&result, \"pre_%s_post\", s);"
-        ]
-      ]
+        ],
+      ],
     },
     {
       present: String.raw`\s* asprintf \(`,
@@ -17,8 +17,8 @@ info =
       examples: [
         [
           "asprintf(&result, \"\"pre_%s_post\"\", s);"
-        ]
-      ]
+        ],
+      ],
     },
     {
       absent: "return",
@@ -30,18 +30,18 @@ info =
       examples: [
         [
           "asprintf(&result, \"pre_%s_post\", s);\nfree(s);\nreturn result"
-        ]
-      ]
+        ],
+      ],
     },
     {
       present: String.raw`\s* return result ; free \s*`,
       text: "Do not do anything after the return, it will not execute.",
       examples: [
         [
           "asprintf(&result, \"pre_%s_post\", s);\nreturn result;\nfree(s);"
-        ]
-      ]
-    }
+        ],
+      ],
+    },
   ],
   expected: [
 `  asprintf(&result, "pre_%s_post", s);
@@ -54,4 +54,4 @@ info =
       free \( s \) ;
       return result ; \s*`
   ],
-}
+};