Skip to content

fix(website): strip tags to a fixed point in the copy-text helper#244

Merged
zantvoort merged 1 commit into
mainfrom
fix/codeql-sanitization
Jul 12, 2026
Merged

fix(website): strip tags to a fixed point in the copy-text helper#244
zantvoort merged 1 commit into
mainfrom
fix/codeql-sanitization

Conversation

@zantvoort

Copy link
Copy Markdown
Collaborator

Resolves code scanning alert #11 (js/incomplete-multi-character-sanitization, high).

The tutorial editor's toPlain helper stripped HTML tags with a single replace(/<[^>]+>/g, '') pass to derive the plain text for the Copy button. A single pass is not idempotent: removing an inner tag can splice two surrounding fragments into a fresh tag (for example <scr<span></span>ipt> collapses to <script>). The strip now repeats to a fixed point before unescaping, so no tag can survive reconstruction.

Exploitability

Not an actual injection sink: the input is trusted, build-time syntax-highlight markup authored in the tutorial pages, and the result is esc()'d before it reaches the data-copy attribute and is only ever used as clipboard text, never inserted as HTML. The fix clears the alert and removes the non-idempotent sanitization pattern from a docs site that shouldn't model it.

Verification

The new helper round-trips legitimate highlighted markup unchanged and fully strips the splice/nesting cases a single pass would leave behind (verified in isolation). Website source only; no versioned_docs touched.

CodeQL js/incomplete-multi-character-sanitization on the tutorial
editor's toPlain helper: a single tag-stripping pass is not idempotent,
because removing an inner tag can splice two fragments into a fresh tag
(<scr<span></span>ipt> collapses to <script>). Repeat the strip until
the markup stops changing before unescaping.

The input is trusted build-time highlight markup and the result is
escaped before it reaches the data-copy attribute and only used as
clipboard text, so this was not an exploitable sink; the fix clears the
alert and removes the non-idempotent pattern.
@zantvoort zantvoort merged commit 75153d1 into main Jul 12, 2026
7 checks passed
@zantvoort zantvoort deleted the fix/codeql-sanitization branch July 12, 2026 10:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant