[code-scanning-fix] Fix js/incomplete-multi-character-sanitization: HTML injection bypass in stripMarkdown#46441
Conversation
…L injection bypass Fixes CodeQL alerts #646 and #647 (js/incomplete-multi-character-sanitization). The previous regex /<[^>]+>/gu could be bypassed with nested tags like '<scr<script>ipt>' - after stripping, '<script>' would remain. Replacing individual '<' and '>' characters ensures all angle brackets are removed regardless of nesting, preventing HTML element injection. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
…ath characters Loop until stable instead of removing all angle brackets, which was too aggressive and broke output containing standalone < or > (e.g. math expressions). The loop handles nested/malformed tags like <scr<script>ipt> by re-applying the pattern until no more matches remain, satisfying the js/incomplete-multi-character-sanitization CodeQL rule without over-stripping. Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Good catch. The previous fix was too aggressive. Updated in commit |
…kdown Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
|
@copilot resolve the merge conflicts on this branch. |
There was a problem hiding this comment.
Pull request overview
Attempts to fix CodeQL sanitization alerts in workshop Markdown processing.
Changes:
- Adds iterative HTML-tag stripping in two
stripMarkdownimplementations. - Reschedules the generated auto-upgrade workflow.
Show a summary per file
| File | Description |
|---|---|
docs/src/lib/workshop/routes.ts |
Updates route-label sanitization. |
docs/scripts/sync-workshop-content.js |
Updates generated metadata sanitization. |
.github/workflows/agentic-auto-upgrade.yml |
Changes the weekly schedule. |
Review details
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 3/3 changed files
- Comments generated: 3
- Review effort level: Medium
| let iterations = 0; | ||
| do { | ||
| prev = str; | ||
| str = str.replace(/<[^>]+>/gu, ''); |
| let iterations = 0; | ||
| do { | ||
| prev = str; | ||
| str = str.replace(/<[^>]+>/gu, ''); |
| on: | ||
| schedule: | ||
| - cron: "21 3 * * 5" # Weekly (auto-upgrade) | ||
| - cron: "11 4 * * 6" # Weekly (auto-upgrade) |
I investigated the merge conflicts and the only conflict is in Unfortunately, the repository protection rules are blocking all pushes to this branch ( To unblock this PR, one option is to resolve the conflict in |
Security Fix: Incomplete Multi-Character Sanitization in stripMarkdown
Alert Numbers: #646, #647
Severity: High
Rule:
js/incomplete-multi-character-sanitizationCWE: CWE-20, CWE-80, CWE-116
Vulnerability Description
The
stripMarkdownfunction in two files used/<[^>]+>/guto remove HTML tags. This regex matches complete HTML tags (e.g.,<script>), but can be bypassed with nested/malformed input like<scr<script>ipt>. After the replacement, the inner<script>remains, potentially enabling HTML element injection.Locations
docs/scripts/sync-workshop-content.js— Line: 82docs/src/lib/workshop/routes.ts— Line: 45Fix Applied
Replaced the multi-character tag-stripping regex with a simpler single-character replacement that removes all
<and>characters individually:Changes Made:
docs/scripts/sync-workshop-content.js: UpdatedstripMarkdownto use single-character<>replacementdocs/src/lib/workshop/routes.ts: UpdatedstripMarkdownto use single-character<>replacementSecurity Best Practices
Testing Considerations
Verify that workshop content titles and summaries still render correctly after the change. The
stripMarkdownfunction is only used to derive plain-text titles/summaries from markdown — removing angle brackets individually has the same visible effect for well-formed HTML and additionally handles malformed input safely.Automated by: Code Scanning Fixer Workflow
Run ID: §29645925522
Warning
Firewall blocked 1 domain
The following domain was blocked by the firewall during workflow execution:
proxy.golang.orgSee Network Configuration for more information.