{
  "context": "This criteria evaluates how well an engineer understands and utilizes webpack-bundle-analyzer's security features for generating safe HTML reports. The focus is on proper use of escaping mechanisms, validation functions, and security-aware report generation APIs.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "XSS Prevention",
      "description": "Uses proper HTML escaping for user-controlled content (module names, paths) in the generated HTML report to prevent script injection. Should utilize html-escaper library or equivalent escaping mechanism.",
      "max_score": 30
    },
    {
      "name": "JSON Escaping",
      "description": "Escapes special characters (particularly '<' as '\\u003c') when embedding data in JSON within the HTML report to prevent XSS through JSON context.",
      "max_score": 25
    },
    {
      "name": "Path Validation",
      "description": "Validates and sanitizes file paths to prevent directory traversal attacks. Should check for patterns like '../' and ensure paths stay within intended boundaries.",
      "max_score": 20
    },
    {
      "name": "Safe Report Generation",
      "description": "Uses webpack-bundle-analyzer's report generation APIs (generateReport, generateStaticReport, or viewer.generateReport) which have built-in security features, rather than manually constructing HTML.",
      "max_score": 15
    },
    {
      "name": "CSP Compatibility",
      "description": "Generated HTML avoids inline scripts, eval(), and other unsafe JavaScript patterns that would violate Content Security Policy. Uses external scripts or safe data attributes instead.",
      "max_score": 10
    }
  ]
}