feat: Refactor rides app with unique constraints, mixins, and enhanced documentation

- Added migration to convert unique_together constraints to UniqueConstraint for RideModel.
- Introduced RideFormMixin for handling entity suggestions in ride forms.
- Created comprehensive code standards documentation outlining formatting, docstring requirements, complexity guidelines, and testing requirements.
- Established error handling guidelines with a structured exception hierarchy and best practices for API and view error handling.
- Documented view pattern guidelines, emphasizing the use of CBVs, FBVs, and ViewSets with examples.
- Implemented a benchmarking script for query performance analysis and optimization.
- Developed security documentation detailing measures, configurations, and a security checklist.
- Compiled a database optimization guide covering indexing strategies, query optimization patterns, and computed fields.

backend/templates/components/ui/card.html

@@ -1,7 +1,10 @@
 {% comment %}
 Card Component - Django Template Version of shadcn/ui Card
 Usage: {% include 'components/ui/card.html' with title='Card Title' content='Card content' %}
+
+Security: All content variables are sanitized to prevent XSS attacks.
 {% endcomment %}
+{% load safe_html %}
 
 <div class="rounded-lg border bg-card text-card-foreground shadow-sm {{ class|default:'' }}">
   {% if title or header_content %}
@@ -13,25 +16,25 @@ Usage: {% include 'components/ui/card.html' with title='Card Title' content='Car
     <p class="text-sm text-muted-foreground">{{ description }}</p>
     {% endif %}
     {% if header_content %}
-    {{ header_content|safe }}
+    {{ header_content|sanitize }}
     {% endif %}
   </div>
   {% endif %}
-  
+
   {% if content or body_content %}
   <div class="p-6 pt-0">
     {% if content %}
-    {{ content|safe }}
+    {{ content|sanitize }}
     {% endif %}
     {% if body_content %}
-    {{ body_content|safe }}
+    {{ body_content|sanitize }}
     {% endif %}
   </div>
   {% endif %}
-  
+
   {% if footer_content %}
   <div class="flex items-center p-6 pt-0">
-    {{ footer_content|safe }}
+    {{ footer_content|sanitize }}
   </div>
   {% endif %}
 </div>

backend/templates/maps/nearby_locations.html

@@ -316,6 +316,11 @@
 <!-- Leaflet JS -->
 <script src="https://unpkg.com/leaflet@1.9.4/dist/leaflet.js"></script>
 
+{# Security: Safely embed JSON data using Django's json_script tag to prevent XSS #}
+{% if nearby_locations %}
+{{ nearby_locations|json_script:"nearby-locations-data" }}
+{% endif %}
+
 <script>
 // Nearby locations map class
 class NearbyMap {
@@ -436,11 +441,14 @@ class NearbyMap {
     
     addLocationMarkers() {
         {% if nearby_locations %}
-        const locations = {{ nearby_locations|safe }};
-        
-        locations.forEach(location => {
-            this.addLocationMarker(location);
-        });
+        {# Security: Use json_script to safely embed JSON data without XSS risk #}
+        const locationsData = document.getElementById('nearby-locations-data');
+        if (locationsData) {
+            const locations = JSON.parse(locationsData.textContent);
+            locations.forEach(location => {
+                this.addLocationMarker(location);
+            });
+        }
         {% endif %}
     }
     

backend/templates/maps/partials/location_card.html

@@ -77,7 +77,13 @@
         {% endif %}
         
         {% if show_trip_action %}
-            <button onclick="addToTrip({{ location|safe }})" 
+            {# Security: Use data attributes instead of inline JS with |safe #}
+            <button onclick="addToTripFromElement(this)"
+                    data-location-id="{{ location.id }}"
+                    data-location-type="{{ location.type }}"
+                    data-location-name="{{ location.name }}"
+                    data-location-lat="{{ location.latitude }}"
+                    data-location-lng="{{ location.longitude }}"
                     class="px-3 py-2 text-sm text-purple-600 border border-purple-600 rounded-lg hover:bg-purple-50 dark:hover:bg-purple-900 transition-colors"
                     title="Add to trip">
                 <i class="fas fa-plus"></i>
@@ -316,6 +322,19 @@ window.addToTrip = function(locationData) {
     document.dispatchEvent(event);
 };
 
+// Security: Helper function to extract location data from element attributes
+// instead of using inline JavaScript with unsanitized data
+window.addToTripFromElement = function(element) {
+    const locationData = {
+        id: element.dataset.locationId,
+        type: element.dataset.locationType,
+        name: element.dataset.locationName,
+        latitude: parseFloat(element.dataset.locationLat),
+        longitude: parseFloat(element.dataset.locationLng)
+    };
+    addToTrip(locationData);
+};
+
 // Handle location card selection
 document.addEventListener('DOMContentLoaded', function() {
     document.addEventListener('click', function(e) {

backend/templates/maps/partials/location_popup.html

@@ -150,9 +150,11 @@
     {% endif %}
 
     <!-- Custom Content -->
+    {% load safe_html %}
     {% if custom_content %}
     <div class="popup-custom">
-        {{ custom_content|safe }}
+        {# Security: Sanitize custom content to prevent XSS #}
+        {{ custom_content|sanitize }}
     </div>
     {% endif %}
 
@@ -180,7 +182,13 @@
         {% endif %}
         
         {% if show_trip_button %}
-        <button onclick="addLocationToTrip({{ location|safe }})" 
+        {# Security: Use data attribute for location data instead of inline JS with |safe #}
+        <button onclick="addLocationToTripFromElement(this)"
+                data-location-id="{{ location.id }}"
+                data-location-type="{{ location.type }}"
+                data-location-name="{{ location.name }}"
+                data-location-lat="{{ location.latitude }}"
+                data-location-lng="{{ location.longitude }}"
                 class="popup-btn popup-btn-accent">
             <i class="mr-1 fas fa-plus"></i>{{ trip_button_text|default:"Add to Trip" }}
         </button>
@@ -455,11 +463,24 @@ window.addLocationToTrip = function(locationData) {
         detail: locationData
     });
     document.dispatchEvent(event);
-    
+
     // Show feedback
     showPopupFeedback('Added to trip!', 'success');
 };
 
+// Security: Helper function to extract location data from element attributes
+// instead of using inline JavaScript with unsanitized data
+window.addLocationToTripFromElement = function(element) {
+    const locationData = {
+        id: element.dataset.locationId,
+        type: element.dataset.locationType,
+        name: element.dataset.locationName,
+        latitude: parseFloat(element.dataset.locationLat),
+        longitude: parseFloat(element.dataset.locationLng)
+    };
+    addLocationToTrip(locationData);
+};
+
 window.shareLocation = function(type, id) {
     // Share location URL
     const url = window.location.origin + `/{{ type }}/${id}/`;