Address some CodeQL security concerns (#35572)

Although there is no real security problem
2025-10-14 04:36:05 +00:00 · 2025-10-04 01:21:26 +08:00
parent c4532101a4
commit 71360a94cb
35 changed files with 118 additions and 78 deletions
--- a/web_src/js/features/comp/EditorMarkdown.test.ts
+++ b/web_src/js/features/comp/EditorMarkdown.test.ts
@@ -26,13 +26,13 @@ test('textareaSplitLines', () => {
 test('markdownHandleIndention', () => {
  const testInput = (input: string, expected?: string) => {
    const inputPos = input.indexOf('|');
-    input = input.replace('|', '');
+    input = input.replaceAll('|', '');
    const ret = markdownHandleIndention({value: input, selStart: inputPos, selEnd: inputPos});
    if (expected === null) {
      expect(ret).toEqual({handled: false});
    } else {
      const expectedPos = expected.indexOf('|');
-      expected = expected.replace('|', '');
+      expected = expected.replaceAll('|', '');
      expect(ret).toEqual({
        handled: true,
        valueSelection: {value: expected, selStart: expectedPos, selEnd: expectedPos},
--- a/web_src/js/features/repo-issue.ts
+++ b/web_src/js/features/repo-issue.ts
@@ -333,7 +333,7 @@ export function initRepoPullRequestReview() {
    let ntr = tr.nextElementSibling;
    if (!ntr?.classList.contains('add-comment')) {
      ntr = createElementFromHTML(`
-        <tr class="add-comment" data-line-type="${lineType}">
+        <tr class="add-comment" data-line-type="${htmlEscape(lineType)}">
          ${isSplit ? `
            <td class="add-comment-left" colspan="4"></td>
            <td class="add-comment-right" colspan="4"></td>
--- a/web_src/js/modules/fomantic/base.ts
+++ b/web_src/js/modules/fomantic/base.ts
@@ -14,4 +14,7 @@ export function linkLabelAndInput(label: Element, input: Element) {
  }
 }

-export const fomanticQuery = $;
+export function fomanticQuery(s: string | Element | NodeListOf<Element>): ReturnType<typeof $> {
+  // intentionally make it only work for query selector, it isn't used for creating HTML elements (for safety)
+  return typeof s === 'string' ? $(document).find(s) : $(s);
+}
--- a/web_src/js/utils.ts
+++ b/web_src/js/utils.ts
@@ -35,7 +35,12 @@ export function isDarkTheme(): boolean {

 /** strip <tags> from a string */
 export function stripTags(text: string): string {
-  return text.replace(/<[^>]*>?/g, '');
+  let prev = '';
+  while (prev !== text) {
+    prev = text;
+    text = text.replace(/<[^>]*>?/g, '');
+  }
+  return text;
 }

 export function parseIssueHref(href: string): IssuePathInfo {