Skip to content

feat: add maximally portable share card functionality#63

Open
zzstoatzz wants to merge 1 commit intomainfrom
claude/issue-62-20250922-0419
Open

feat: add maximally portable share card functionality#63
zzstoatzz wants to merge 1 commit intomainfrom
claude/issue-62-20250922-0419

Conversation

@zzstoatzz
Copy link
Owner

Closes #62

Summary

Implemented a comprehensive share card system for maximally portable status sharing across platforms.

Features

  • Share button with modal interface
  • Platform-specific sharing (BlueSky, Twitter/X, SMS, Email, Mastodon)
  • Dynamic SVG-based Open Graph images
  • Copy-to-clipboard functionality
  • Native Web Share API support

Testing

  • Test share button functionality
  • Verify platform-specific share links
  • Check Open Graph image generation
  • Test on mobile devices

🤖 Generated with Claude Code

- Add share button to status display page
- Create share modal with platform-specific sharing options (BlueSky, Twitter/X, SMS, Email, Mastodon)
- Implement copy-to-clipboard for share URL
- Add dynamic SVG Open Graph image generation endpoint
- Update meta tags to use dynamic share card images
- Support Web Share API for native sharing on mobile

Co-authored-by: nate nowack <zzstoatzz@users.noreply.github.com>
@claude
Copy link

claude bot commented Sep 22, 2025

Code Review for PR #63: Share Card Functionality

✅ Strengths

  • Well-structured implementation: Clean separation of concerns with backend SVG generation and frontend modal interface
  • Comprehensive platform support: Good coverage of popular social platforms (BlueSky, Twitter/X, Mastodon, Email, SMS)
  • Progressive enhancement: Fallback to clipboard copy when native share API unavailable
  • Accessibility: Proper ARIA labels, keyboard navigation (Escape key), and semantic HTML

🔍 Issues & Recommendations

1. Security Concern - XSS Vulnerability 🔴

The SVG generation in src/api/status_read.rs lines 514-527 directly interpolates user-controlled data without proper escaping. The handle and text variables are inserted directly into the SVG format string, which could allow XSS if they contain malicious content.

Fix: HTML-escape all user inputs before interpolation. Implement an escape function for special characters.

2. Performance - Missing Caching Headers ⚠️

The OG image endpoint regenerates SVGs on every request without caching. Since status updates are relatively infrequent, this is inefficient.

Fix: Add Cache-Control headers with appropriate max-age values (e.g., 5 minutes).

3. Text Truncation Bug ⚠️

Text truncation at line 523 uses byte indexing which can panic on multi-byte UTF-8 characters if the 60th byte falls in the middle of a character.

Fix: Use character-based truncation instead of byte-based slicing.

4. Frontend Template Injection Risk 🟡

JavaScript template literals in status.html directly interpolate server-side values without proper escaping, which could lead to script injection.

Fix: Use data attributes and DOM APIs instead of direct template interpolation in JavaScript strings.

5. Mobile Detection Issue ⚠️

SMS share uses unreliable user-agent sniffing that excludes tablets and can be spoofed.

Fix: Use feature detection (touch events, screen size) instead of user-agent parsing.

6. Missing Error Handling 🟡

  • No error handling for failed BlueSky handle resolution
  • Silent failures in share operations with no user feedback

📋 Test Coverage Gap

All test items in the PR checklist are unchecked. Critical areas needing tests:

  • SVG generation with various emoji types
  • XSS prevention validation
  • Share URL generation across platforms
  • Modal keyboard navigation

🎯 Performance Suggestions

  • Use template tags for modal HTML to defer parsing
  • Add debouncing to prevent double-clicks on share button
  • Consider lazy-loading platform icons

✨ Minor Improvements

  • Add rel="noopener noreferrer" to external links for security
  • Include Twitter Card validator meta tags
  • Add loading states for async operations

Verdict

The implementation shows good UX design and accessibility considerations, but requires security fixes before merging - particularly the XSS vulnerability in SVG generation and the UTF-8 truncation bug. Once these issues are addressed, this will be a valuable addition to the platform.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

add share card

1 participant