feat: add maximally portable share card functionality

[zzstoatzz]

Closes #62

Summary

Implemented a comprehensive share card system for maximally portable status sharing across platforms.

Features

• Share button with modal interface
• Platform-specific sharing (BlueSky, Twitter/X, SMS, Email, Mastodon)
• Dynamic SVG-based Open Graph images
• Copy-to-clipboard functionality
• Native Web Share API support

Testing

• Test share button functionality
• Verify platform-specific share links
• Check Open Graph image generation
• Test on mobile devices

🤖 Generated with Claude Code

[claude]

Code Review for PR #63: Share Card Functionality

✅ Strengths

• Well-structured implementation: Clean separation of concerns with backend SVG generation and frontend modal interface
• Comprehensive platform support: Good coverage of popular social platforms (BlueSky, Twitter/X, Mastodon, Email, SMS)
• Progressive enhancement: Fallback to clipboard copy when native share API unavailable
• Accessibility: Proper ARIA labels, keyboard navigation (Escape key), and semantic HTML

🔍 Issues & Recommendations

1. Security Concern - XSS Vulnerability 🔴

The SVG generation in src/api/status_read.rs lines 514-527 directly interpolates user-controlled data without proper escaping. The handle and text variables are inserted directly into the SVG format string, which could allow XSS if they contain malicious content.

Fix: HTML-escape all user inputs before interpolation. Implement an escape function for special characters.

2. Performance - Missing Caching Headers ⚠️

The OG image endpoint regenerates SVGs on every request without caching. Since status updates are relatively infrequent, this is inefficient.

Fix: Add Cache-Control headers with appropriate max-age values (e.g., 5 minutes).

3. Text Truncation Bug ⚠️

Text truncation at line 523 uses byte indexing which can panic on multi-byte UTF-8 characters if the 60th byte falls in the middle of a character.

Fix: Use character-based truncation instead of byte-based slicing.

4. Frontend Template Injection Risk 🟡

JavaScript template literals in status.html directly interpolate server-side values without proper escaping, which could lead to script injection.

Fix: Use data attributes and DOM APIs instead of direct template interpolation in JavaScript strings.

5. Mobile Detection Issue ⚠️

SMS share uses unreliable user-agent sniffing that excludes tablets and can be spoofed.

Fix: Use feature detection (touch events, screen size) instead of user-agent parsing.

6. Missing Error Handling 🟡

• No error handling for failed BlueSky handle resolution
• Silent failures in share operations with no user feedback

📋 Test Coverage Gap

All test items in the PR checklist are unchecked. Critical areas needing tests:

• SVG generation with various emoji types
• XSS prevention validation
• Share URL generation across platforms
• Modal keyboard navigation

🎯 Performance Suggestions

• Use template tags for modal HTML to defer parsing
• Add debouncing to prevent double-clicks on share button
• Consider lazy-loading platform icons

✨ Minor Improvements

• Add rel="noopener noreferrer" to external links for security
• Include Twitter Card validator meta tags
• Add loading states for async operations

Verdict

The implementation shows good UX design and accessibility considerations, but requires security fixes before merging - particularly the XSS vulnerability in SVG generation and the UTF-8 truncation bug. Once these issues are addressed, this will be a valuable addition to the platform.