Refactor API calls and prepare for openfoodfacts-js integration #111
Conversation
|
@teolemon 👋 This repository doesn't have Copilot instructions. With Copilot instructions, I can understand the repository better, work faster and produce higher quality PRs. I can generate a .github/copilot-instructions.md file for you automatically. Click here to open a pre-filled issue and assign it to me. I'll write the instructions, and then tag you for review. |
…tion Co-authored-by: teolemon <[email protected]>
Co-authored-by: teolemon <[email protected]>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| var apiProductURL = OFFApiHelpers.buildProductApiUrl(code); | ||
| log("API: " + apiProductURL); | ||
| // build edit url | ||
| var editURL = document.location.protocol + "//" + document.location.host + "/cgi/product.pl?type=edit&code=" + code; | ||
| var productUrls = OFFApiHelpers.buildProductUrls(code); |
Check failure
Code scanning / CodeQL
Client-side cross-site scripting High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 months ago
To fix this vulnerability, we should ensure that user-provided input is properly encoded/escaped before being inserted into an HTML context—especially within dynamically constructed strings given to jQuery's .append(). The best practice here is to avoid building HTML strings with embedded untrusted data; instead, create elements using jQuery or the DOM API and set attributes/contents safely to be escaped automatically. Specifically:
- Instead of constructing the
<span>/<a>HTML as a string, we use jQuery to create the<span>and<a>elements, set their attributes using.attr(), and append them, so that values are safely escaped. - This change should be made where
sameBrandProductsURL(line 797) and the surrounding HTML is inserted via.append()on line 796. - No new methods or imports are necessary; jQuery is already present.
| @@ -792,11 +792,15 @@ | ||
| "//" + document.location.host + | ||
| '/state/brands-to-be-completed/code/' + | ||
| sameBrandProducts; | ||
| $("#barcode_paragraph") | ||
| .append(' <span id="sameBrandProductLink" class="productLink">[<a href="' + | ||
| sameBrandProductsURL + | ||
| '" title="Products without brand that might be from this brand">'+ | ||
| 'Non-branded ϵ same brand?</a>]</span>'); | ||
| // Construct link safely using jQuery to avoid XSS | ||
| var $brandSpan = $('<span>', { id: 'sameBrandProductLink', class: 'productLink' }).append( | ||
| '[', $('<a>', { | ||
| href: sameBrandProductsURL, | ||
| title: 'Products without brand that might be from this brand', | ||
| text: 'Non-branded ϵ same brand?' | ||
| }), ']' | ||
| ); | ||
| $("#barcode_paragraph").append(' ', $brandSpan); | ||
| // Google Link | ||
| var googleLink = 'https://www.google.com/search?q=' + code; | ||
| $("#barcode_paragraph") |
This PR refactors the Power User Script to prepare for integration with the official
openfoodfacts-jslibrary by creating a clean abstraction layer for API interactions.Changes Made
API Abstraction Layer
OFFApiHelpersutility object that centralizes all API interactionsCode Improvements
OFFApiHelpers.getProduct()andgetProductImages()buildProductUrls()generates view, edit, API, and image URLs consistentlyformatBarcode()andextractBarcodeFromUrl()with validationgetCurrentDomain()automatically detects country and language settingsBefore/After Examples
Before (manual API calls):
After (using helpers):
Future Integration Path
The helper functions are designed to be easily replaceable with openfoodfacts-js library calls:
OFFApiHelpers.getProduct()→offClient.getProductV2()OFFApiHelpers.getProductImages()→offClient.getProductV2(barcode, "images")Functions Ready for Upstreaming
Several utility functions could benefit the broader Open Food Facts ecosystem:
getProductImageUrl())See
UPSTREAM_CANDIDATES.mdfor detailed documentation.Integration Blockers
Currently blocked on openfoodfacts-js needing a UMD/browser build for userscript compatibility. The current ESM/CJS builds don't work in userscript environments due to module system constraints.
This PR maintains full backward compatibility while creating a clear migration path for when the library becomes userscript-compatible.
Fixes #110.
Warning
Firewall rules blocked me from connecting to one or more addresses (expand for details)
I tried to connect to the following addresses, but was blocked by firewall rules:
cdn.jsdelivr.netcurl -s REDACTED(dns block)data.jsdelivr.comcurl -s REDACTED(dns block)unpkg.comcurl -s REDACTED(dns block)If you need me to access, download, or install something from one of these locations, you can either:
💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.