feat: Refactor rides app with unique constraints, mixins, and enhanced documentation

- Added migration to convert unique_together constraints to UniqueConstraint for RideModel. - Introduced RideFormMixin for handling entity suggestions in ride forms. - Created comprehensive code standards documentation outlining formatting, docstring requirements, complexity guidelines, and testing requirements. - Established error handling guidelines with a structured exception hierarchy and best practices for API and view error handling. - Documented view pattern guidelines, emphasizing the use of CBVs, FBVs, and ViewSets with examples. - Implemented a benchmarking script for query performance analysis and optimization. - Developed security documentation detailing measures, configurations, and a security checklist. - Compiled a database optimization guide covering indexing strategies, query optimization patterns, and computed fields.
2025-12-23 07:51:08 -05:00 · 2025-12-22 11:17:31 -05:00
parent 45d97b6e68
commit 2e35f8c5d9
71 changed files with 8036 additions and 1462 deletions
--- a/backend/templates/maps/partials/location_card.html
+++ b/backend/templates/maps/partials/location_card.html
@@ -77,7 +77,13 @@
        {% endif %}
        
        {% if show_trip_action %}
-            <button onclick="addToTrip({{ location|safe }})" 
+            {# Security: Use data attributes instead of inline JS with |safe #}
+            <button onclick="addToTripFromElement(this)"
+                    data-location-id="{{ location.id }}"
+                    data-location-type="{{ location.type }}"
+                    data-location-name="{{ location.name }}"
+                    data-location-lat="{{ location.latitude }}"
+                    data-location-lng="{{ location.longitude }}"
                    class="px-3 py-2 text-sm text-purple-600 border border-purple-600 rounded-lg hover:bg-purple-50 dark:hover:bg-purple-900 transition-colors"
                    title="Add to trip">
                <i class="fas fa-plus"></i>
@@ -316,6 +322,19 @@ window.addToTrip = function(locationData) {
    document.dispatchEvent(event);
 };

+// Security: Helper function to extract location data from element attributes
+// instead of using inline JavaScript with unsanitized data
+window.addToTripFromElement = function(element) {
+    const locationData = {
+        id: element.dataset.locationId,
+        type: element.dataset.locationType,
+        name: element.dataset.locationName,
+        latitude: parseFloat(element.dataset.locationLat),
+        longitude: parseFloat(element.dataset.locationLng)
+    };
+    addToTrip(locationData);
+};
+
 // Handle location card selection
 document.addEventListener('DOMContentLoaded', function() {
    document.addEventListener('click', function(e) {
--- a/backend/templates/maps/partials/location_popup.html
+++ b/backend/templates/maps/partials/location_popup.html
@@ -150,9 +150,11 @@
    {% endif %}

    <!-- Custom Content -->
+    {% load safe_html %}
    {% if custom_content %}
    <div class="popup-custom">
-        {{ custom_content|safe }}
+        {# Security: Sanitize custom content to prevent XSS #}
+        {{ custom_content|sanitize }}
    </div>
    {% endif %}

@@ -180,7 +182,13 @@
        {% endif %}
        
        {% if show_trip_button %}
-        <button onclick="addLocationToTrip({{ location|safe }})" 
+        {# Security: Use data attribute for location data instead of inline JS with |safe #}
+        <button onclick="addLocationToTripFromElement(this)"
+                data-location-id="{{ location.id }}"
+                data-location-type="{{ location.type }}"
+                data-location-name="{{ location.name }}"
+                data-location-lat="{{ location.latitude }}"
+                data-location-lng="{{ location.longitude }}"
                class="popup-btn popup-btn-accent">
            <i class="mr-1 fas fa-plus"></i>{{ trip_button_text|default:"Add to Trip" }}
        </button>
@@ -455,11 +463,24 @@ window.addLocationToTrip = function(locationData) {
        detail: locationData
    });
    document.dispatchEvent(event);
-    
+
    // Show feedback
    showPopupFeedback('Added to trip!', 'success');
 };

+// Security: Helper function to extract location data from element attributes
+// instead of using inline JavaScript with unsanitized data
+window.addLocationToTripFromElement = function(element) {
+    const locationData = {
+        id: element.dataset.locationId,
+        type: element.dataset.locationType,
+        name: element.dataset.locationName,
+        latitude: parseFloat(element.dataset.locationLat),
+        longitude: parseFloat(element.dataset.locationLng)
+    };
+    addLocationToTrip(locationData);
+};
+
 window.shareLocation = function(type, id) {
    // Share location URL
    const url = window.location.origin + `/{{ type }}/${id}/`;