fix: sanitize CSS classnames

[javier-godoy]

Summary by CodeRabbit

• Refactor
  • Improved internal route handling and normalization logic for better consistency and robustness in component processing.

[coderabbitai]

Walkthrough

The change modifies the showRouterLayoutContent method in TabbedDemo.java to enhance route value normalization. Route extraction now removes leading slashes and replaces leading digits with underscore-prefixed variants. Route segments are sanitized to permit only alphanumeric characters, underscores, and hyphens, with leading and trailing hyphens removed; empty segments are excluded.

Changes

Cohort / File(s)	Summary
Route Normalization Logic src/main/java/com/flowingcode/vaadin/addons/demo/TabbedDemo.java	Enhanced showRouterLayoutContent method to apply multi-step route-to-class-name transformation: removes leading slashes, prefixes leading digits with underscores, sanitizes segments to alphanumeric/underscore/hyphen characters only, and trims leading/trailing hyphens while skipping empty segments.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• feat: derive CSS classname from demo route #146 — Modifies TabbedDemo's route-to-CSS-class logic in showRouterLayoutContent for deriving class names from Route values.

Suggested reviewers

• mlopezFC
• paodb

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix: sanitize CSS classnames' directly matches the main changes: sanitizing route segments and classnames by removing invalid characters and replacing leading digits.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch sanitize-classname

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate failed

Failed conditions
1 Security Hotspot
C Reliability Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/main/java/com/flowingcode/vaadin/addons/demo/TabbedDemo.java`:
- Around line 205-214: The code currently applies leading-digit normalization on
the raw route string (.map(...replaceFirst("^[0-9]", "_$0"))) before sanitizing
segments, which can let a later sanitized segment still start with a digit;
change the logic so digit-prefixing happens after sanitization of each segment
and only for the first non-empty sanitized segment: in the block that iterates
segments (route.split("/+")), perform the sanitize steps
(replaceAll("[^a-zA-Z0-9_-]+", "-").replaceAll("^-+|-+$", "")), skip empty
segments, and when appending the first non-empty sanitized segment to prefix and
calling demo.addClassName(...) check if that sanitized segment startsWith a
digit and if so prepend '_' to that segment (and to the prefix) before
appending; leave subsequent segments untouched except for the existing '-'
separator handling.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5142da3 and 413c118.

📒 Files selected for processing (1)

• src/main/java/com/flowingcode/vaadin/addons/demo/TabbedDemo.java

[javier-godoy]

SONARCLOUD:

Make sure the regex used here, which is vulnerable to polynomial runtime due to backtracking, cannot lead to denial of service.

The processed strings are obtained from the @Route annotation, thus they are static at compile time.