The main page [0] shows you awesome demos, but also its weaknesses in the very first example. It doesn't encode the url encoded body properly:
> body: `text=${text}`,
So it breaks if the text contains a '&' and even allows parameter injection to the call of the 3rd party service. Isn't that critical on a sentiment analysis API, but could result in actual security holes.
I hope the users won't blindly use the generated code without review.
These mistakes can be so subtle, nobody even noticed them when they put them on the front page of the product.
There are issues with many of the other demos too, especially in the second group of examples (e.g. `const months = days / 30`, the prime number test function not testing any `false` cases, etc.).
> body: `text=${text}`,
So it breaks if the text contains a '&' and even allows parameter injection to the call of the 3rd party service. Isn't that critical on a sentiment analysis API, but could result in actual security holes.
I hope the users won't blindly use the generated code without review. These mistakes can be so subtle, nobody even noticed them when they put them on the front page of the product.
[0]: https://github.com/features/copilot/