Description
In lib/validations.ts:52-56, the toGraceValue function uses parseFloat to parse the ?grace= URL parameter:
export function toGraceValue(val?: string): number {
if (!val) return 1;
const parsed = parseFloat(val);
return isNaN(parsed) ? 1 : Math.max(0, Math.min(parsed, 7));
}Problem
parseFloat is overly permissive — it silently accepts non-numeric suffixes:
| Input |
Current Result |
Expected (with Number()) |
"abc" |
NaN → 1 |
NaN → 1 |
"2abc" |
2 (trailing garbage ignored) |
NaN → 1 |
"3.5.2" |
3.5 (truncated at second dot) |
NaN → 1 |
"3" |
3 |
3 |
This is inconsistent with all five other numeric URL parameter parsers in the same file (toFontSize at line 347, toRadius at line 315, toSpeed at line 80, toOpacityValue at line 62, toHideBorder at line 377), which use Number(val) — a stricter parser that rejects any non-numeric input with NaN.
A user typing ?grace=2abc would expect a validation error or default but instead silently get a valid grace value of 2, masking their typo.
Suggested Fix
const parsed = Number(val);
return isNaN(parsed) ? 1 : Math.max(0, Math.min(parsed, 7));
Acceptance Criteria
Severity
Low — edge case that mainly affects consistency and debugging of malformed URLs.
Related
Other parsers in validations.ts that already use Number():
toFontSize (line 347)toRadius (line 315)toSpeed (line 80)toOpacityValue (line 62)toHideBorder (flag parser, line 377)
Description
In
lib/validations.ts:52-56, thetoGraceValuefunction usesparseFloatto parse the?grace=URL parameter:Problem
parseFloatis overly permissive — it silently accepts non-numeric suffixes:Number())"abc"NaN→1NaN→1"2abc"2(trailing garbage ignored)NaN→1"3.5.2"3.5(truncated at second dot)NaN→1"3"33This is inconsistent with all five other numeric URL parameter parsers in the same file (
toFontSizeat line 347,toRadiusat line 315,toSpeedat line 80,toOpacityValueat line 62,toHideBorderat line 377), which useNumber(val)— a stricter parser that rejects any non-numeric input withNaN.A user typing
?grace=2abcwould expect a validation error or default but instead silently get a valid grace value of2, masking their typo.Suggested Fix
Acceptance Criteria
toGraceValue(undefined)→1toGraceValue('')→1toGraceValue('3')→3toGraceValue('3.5')→3.5toGraceValue('2abc')→1(currently returns2)toGraceValue('abc')→1validations.tsSeverity
Low — edge case that mainly affects consistency and debugging of malformed URLs.
Related
Other parsers in
validations.tsthat already useNumber():toFontSize(line 347)toRadius(line 315)toSpeed(line 80)toOpacityValue(line 62)toHideBorder(flag parser, line 377)