Auto-decode URL-encoded content pasted into Gemini Prompt

[simonw]

Adds a paste event listener on the Content textarea that detects
URL-encoded text (containing %XX hex sequences) and automatically
decodes it via decodeURIComponent. Falls back to normal paste if
decoding fails (malformed sequences).

https://claude.ai/code/session_013F3xkvp8LebNQ9wPj3d1md

[claude]

Claude finished @simonw's task —— View job

---

Code Review Results

Reviewing the auto-decode URL-encoded content feature:

• Read and analyze the implementation
• Evaluate code quality and best practices
• Check for potential bugs or issues
• Assess performance considerations
• Review security concerns
• Evaluate test coverage

Implementation Analysis

The feature adds a paste event listener to the content textarea (lines 522-541) that:

1. Detects URL-encoded text using regex /%[0-9A-Fa-f]{2}/
2. Attempts to decode using decodeURIComponent()
3. Replaces the pasted content if decoding succeeds and differs from original
4. Falls back to normal paste behavior on decode errors

Review Feedback

✅ Code Quality & Best Practices

• Well-structured: Clean event handler with proper error handling
• Consistent style: Matches existing code conventions (ES6, clear variable names)
• Good user experience: Non-intrusive - only activates when URL encoding is detected
• Smart fallback: Gracefully handles malformed sequences by allowing normal paste

⚠️ Potential Issues

1. Regex Precision (gemini-prompt.html:525):

   if (/%[0-9A-Fa-f]{2}/.test(text)) {

   • Could match false positives like markdown headers (# Some text 100%ABC12)
   • Consider more specific pattern: /(?:%[0-9A-Fa-f]{2}){2,}/ for multiple consecutive sequences

2. Cursor Positioning Edge Case (gemini-prompt.html:534-535):

   const cursor = start + decoded.length;
   ta.selectionStart = ta.selectionEnd = cursor;

   • If decoded text is shorter, cursor might be in unexpected position for user
   • Consider preserving relative position when possible

✅ Performance Considerations

• Lightweight: Only runs on paste events, minimal overhead
• Early exit: Regex test prevents unnecessary decode attempts
• No memory leaks: No persistent references or timers

✅ Security Concerns

• Safe decoding: Uses built-in decodeURIComponent()
• XSS protection: Not vulnerable since decoded text goes to textarea value, not innerHTML
• No injection risk: Content is user-controlled and not executed

❌ Test Coverage

• Missing tests: No automated tests for this functionality
• Suggest adding:
  • Unit tests for URL decode detection/behavior
  • Edge cases: malformed sequences, mixed content, empty strings
  • User interaction tests for cursor positioning

💡 Minor Enhancements

1. More specific regex to reduce false positives
2. Preserve cursor position when decoded text length differs significantly
3. Add tests for comprehensive coverage

Overall Assessment

Strong implementation with good error handling and user experience. The security approach is sound, and performance impact is minimal. Main improvements would be adding tests and refining the URL detection regex.

---