feat: bundle Hoagie requirements data locally and serve at page load#512
feat: bundle Hoagie requirements data locally and serve at page load#512angelina-ji wants to merge 1 commit intomasterfrom
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 0924da8092
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| if (window.__TIGERPATH_PRELOADED_REQUIREMENTS__) { | ||
| handleRequirementData(window.__TIGERPATH_PRELOADED_REQUIREMENTS__); |
There was a problem hiding this comment.
This condition treats an empty preloaded payload as success, so the API fallback never runs. In this commit the server can serialize [] for cases like unsupported majors or preload exceptions, and because [] is truthy in JavaScript, users can end up stuck with an empty requirements pane instead of the normal /api/v1/get_requirements/ result (which includes unsupported-major messaging and degree progress).
Useful? React with 👍 / 👎.
| @@ -111,6 +111,11 @@ | |||
| </script> | |||
| {% endif %} | |||
|
|
|||
| {% if preloaded_requirements_json %} | |||
| <script> | |||
| window.__TIGERPATH_PRELOADED_REQUIREMENTS__ = {{ preloaded_requirements_json|safe }}; | |||
There was a problem hiding this comment.
Rendering preloaded_requirements_json with |safe inside a <script> block allows script-breakout sequences like </script> in data values to terminate the block and inject executable HTML/JS. Requirement data can include user-provided external credit names, so this introduces a stored XSS vector on page load unless the payload is emitted with safe escaping (for example via Django's JSON-script escaping helpers).
Useful? React with 👍 / 👎.
1 participant
Bundle Hoagie requirements data locally and serve at page load
PROBLEM:
TigerPath fetches requirements from the old branch of Princeton-Departmental-Data over HTTP — that data is outdated and the network fetch causes the requirements sidebar to flash in after a delay.
CHANGES:
Copied HoagieClub/plan's MIT-licensed YAML data into tigerpath/requirements_data/ (majors, minors, certificates, degrees)
Replaced the remote HTTP fetch in verifier.py with local file reads
Pre-compute requirements in the Django index view and inject into the HTML so the sidebar renders instantly on page load
Frontend checks for preloaded data before falling back to the API fetch
TESTING:
Log in, select a major, reload — requirements sidebar should appear instantly
DevTools → Network → filter get_requirements → hard refresh — zero requests on initial load