feat: switch from angular/AJAX+Boostrap to HTMX+PicoCSS

[berezovskyi]

I spent 3 hours updating Angular 10 to 11 yesterday and the migration is not fully complete. Mind you, the current version of Angular is 19 and the recommendation is to upgrade only one major version at a time.

Now I spent just 2 hours to write a complete delegated dialog implementation using HTMX instead of making AJAX requests and using Angular to dynamically render results.

Instead, HTMX is a hypermedia framework that is declaratively configured to make HTTP requests and place responses into the HTML DOM. OSLC, being an LDP REST API built with hypermedia principles at heart is perfectly aligned with HTMX. A lot of code can be removed as a result.

One of the best things is that HTMX does not intend to make breaking change like modern frontend frameworks and be more like jQuery in terms of stability. I think it's a perfect fit for the refimpl that needs to reduce the maintenance burden.

Screen.Recording.2025-01-18.at.14.23.29.mov

[berezovskyi]

this tiny bit of HTML is what gets rendered every time HTMX makes a search request and it dynamically replaces the contents of the #search-results div with this content returned by the server. Simple and easy.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 11 comments.

Comments suppressed due to low confidence (2)

src/server-rm/src/main/webapp/co/oslc/refimpl/rm/gen/requirementselector-results.jsp:29

• The requirement resource title is rendered directly into the HTML without escaping. If a requirement title contains HTML special characters or malicious script tags, this could lead to XSS vulnerabilities. Use JSTL's c:out tag with escapeXml="true" or fn:escapeXml() to properly escape the title content.

          >${requirement.title}</a>

src/server-rm/src/main/webapp/co/oslc/refimpl/rm/gen/requirementselector-results.jsp:27

• The requirement.about URI is rendered directly in the href attribute without escaping. If the URI contains quotes or other special characters, it could break the attribute or lead to attribute injection attacks. Use JSTL c:out or fn:escapeXml() to properly escape the URI.

        <a href="${requirement.about}"

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The wildcard origin '*' in postMessage allows any website to receive the OSLC selection response, which could expose sensitive resource information to malicious sites. Consider using the opener's origin or a configured whitelist of allowed origins instead.

Suggested change

	window.parent.postMessage("oslc-response:" + JSON.stringify(message), '*')
	// Extract parent origin from document.referrer
	let parentOrigin = null;
	try {
	if (document.referrer) {
	parentOrigin = new URL(document.referrer).origin;
	}
	} catch (e) {
	// If referrer is malformed, do not send the message
	parentOrigin = null;
	}
	if (parentOrigin) {
	window.parent.postMessage("oslc-response:" + JSON.stringify(message), parentOrigin);
	} else {
	console.error("Unable to determine parent origin. OSLC selection response not sent.");
	}

[Copilot]

The SRI hash is for HTMX version 2.0.4, but there's no corresponding integrity check for the PicoCSS CDN link. While the PicoCSS link uses HTTPS, adding an integrity attribute would provide additional protection against CDN compromise.

Suggested change

	<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@picocss/pico@1/css/pico.min.css">
	<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@picocss/pico@1/css/pico.min.css" integrity="sha384-+1Qw6QwQwQwQwQwQwQwQwQwQwQwQwQwQwQwQwQwQwQwQwQwQwQwQwQwQwQwQwQwQwQwQwQwQwQwQw==" crossorigin="anonymous">

[Copilot]

When the delegate returns null for resources, the code logs an error stating "A empty search should return an empty list and not NULL!" and then returns a 204 No Content response. However, this masks a potential bug in the delegate implementation rather than handling it appropriately. Consider throwing an exception or returning a 500 Internal Server Error to signal that the delegate violated its contract.

[Copilot]

When forwarding the request to a JSP that returns HTML fragments for HTMX (lines 289-292), the method continues execution after rd.forward() without returning. This means the subsequent code block (lines 310-313) will still be evaluated, potentially causing issues. Add a return statement after the forward() call to prevent fall-through.

Suggested change

	rd.forward(httpServletRequest, httpServletResponse);
	rd.forward(httpServletRequest, httpServletResponse);
	return null;

[Copilot]

The HTMX request detection using a custom header "hx-request" should be case-sensitive checked. The equalsIgnoreCase method could match "TRUE", "True", etc., but HTMX sends lowercase "true". While this is more lenient (which may be desirable), it's worth noting that the official HTMX header value is always lowercase "true".

Suggested change

	if ("true".equalsIgnoreCase(httpServletRequest.getHeader("hx-request"))) {
	if ("true".equals(httpServletRequest.getHeader("hx-request"))) {

[Copilot]

The HTMX trigger configuration 'input changed delay:120ms, keyup[key=='Enter'], load' includes a 'load' event which will fire when the page loads, even when the search input is empty. This will cause an unnecessary request to the server on page load. Consider removing 'load' from the trigger if you don't want to perform a search with empty terms on initial page load.

Suggested change

	hx-trigger="input changed delay:120ms, keyup[key=='Enter'], load"
	hx-trigger="input changed delay:120ms, keyup[key=='Enter']"

[Copilot]

The comment on lines 294-295 acknowledges that mixing HTML and JSON responses without proper content negotiation is "really bad", but this approach is still implemented. This creates technical debt and violates REST API principles. Consider refactoring to use proper Accept header negotiation or creating separate endpoints for HTML and JSON responses.

[Copilot]

The JavaScript variables 'elt', 'name', and 'evt' use inconsistent naming conventions. The code uses 'elt' (abbreviated) alongside 'name' and 'evt' (also abbreviated). Consider using more descriptive names like 'element', 'eventName', and 'event' for better code clarity, or at least be consistent with abbreviation style.

Suggested change

	onEvent : function(name, evt) {
	var elt = evt.detail.elt;
	if(name === "htmx:beforeRequest") {
	elt.setAttribute("aria-busy", "true")
	} else if(name === "htmx:afterRequest" ) {
	elt.removeAttribute("aria-busy")
	onEvent : function(eventName, event) {
	var element = event.detail.elt;
	if(eventName === "htmx:beforeRequest") {
	element.setAttribute("aria-busy", "true")
	} else if(eventName === "htmx:afterRequest" ) {
	element.removeAttribute("aria-busy")

[Copilot]

There's inconsistent indentation on line 291 where httpServletRequest.setAttribute has extra leading whitespace compared to the surrounding lines. This creates visual inconsistency in the code block.

Suggested change

	httpServletRequest.setAttribute("resources", resources);
	httpServletRequest.setAttribute("resources", resources);

[Copilot]

The requirement.title and requirement.about fields are rendered directly into HTML without any escaping, while Requirement instances are populated from unsanitized client input in RestDelegate.createRequirement. A malicious client can create a requirement whose title contains HTML/JavaScript so that when this selection dialog is opened, the injected script executes in the browser (stored XSS) and can act with the privileges of the RM provider UI. Ensure that user-controlled fields are properly encoded for HTML text and attribute contexts before rendering (for example, by using JSP/JSTL escaping utilities) so that they cannot inject markup or script.

Suggested change

	<a href="${requirement.about}"
	onclick="sendOslcSelectionPostMessage(this, event)"
	>${requirement.title}</a>
	<a href="<c:out value='${requirement.about}'/>"
	onclick="sendOslcSelectionPostMessage(this, event)"
	><c:out value="${requirement.title}"/></a>

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.