boxlang-code-reviewerlisted

# BoxLang Code Reviewer ## Overview This skill provides a structured checklist and framework for reviewing BoxLang code. Apply these checks systematically when reviewing PRs, auditing existing code, or self-reviewing before committing. --- ## Review Framework When reviewing BoxLang code, evaluate these categories in order of priority: 1. **Security** — Vulnerabilities that could be exploited 2. **Correctness** — Logic errors, edge cases, null safety 3. **Performance** — Inefficiencies, unnecessary work 4. **Maintainability** — Readability, naming, structure 5. **Style** — Conventions, consistency --- ## Security Checks ### SQL Injection ```boxlang // RED FLAG — string interpolation in SQL queryExecute( "SELECT * FROM users WHERE id = #url.id#" ) // REQUIRED FIX — always parameterize queryExecute( "SELECT * FROM users WHERE id = :id", { id: { value: url.id, cfsqltype: "cf_sql_integer" } } ) ``` **Review question:** Is every SQL value passed via `queryParam` / `:name` binding? ### XSS (Cross-Site Scripting) ```boxlang // RED FLAG — raw user input rendered in HTML <bx:output>#form.comment#</bx:output> // REQUIRED FIX — encode for context <bx:output>#encodeForHTML( form.comment )#</bx:output> ``` **Review question:** Is every user-supplied value encoded with the appropriate `encodeFor*()` function before output? ### File Upload Validation - Is the file extension validated against an allowlist? - Is MIME type validated server-side (not just by browser)? -