fix(website): strip tags to a fixed point in the copy-text helper#244
Merged
Conversation
CodeQL js/incomplete-multi-character-sanitization on the tutorial editor's toPlain helper: a single tag-stripping pass is not idempotent, because removing an inner tag can splice two fragments into a fresh tag (<scr<span></span>ipt> collapses to <script>). Repeat the strip until the markup stops changing before unescaping. The input is trusted build-time highlight markup and the result is escaped before it reaches the data-copy attribute and only used as clipboard text, so this was not an exploitable sink; the fix clears the alert and removes the non-idempotent pattern.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Resolves code scanning alert #11 (
js/incomplete-multi-character-sanitization, high).The tutorial editor's
toPlainhelper stripped HTML tags with a singlereplace(/<[^>]+>/g, '')pass to derive the plain text for the Copy button. A single pass is not idempotent: removing an inner tag can splice two surrounding fragments into a fresh tag (for example<scr<span></span>ipt>collapses to<script>). The strip now repeats to a fixed point before unescaping, so no tag can survive reconstruction.Exploitability
Not an actual injection sink: the input is trusted, build-time syntax-highlight markup authored in the tutorial pages, and the result is
esc()'d before it reaches thedata-copyattribute and is only ever used as clipboard text, never inserted as HTML. The fix clears the alert and removes the non-idempotent sanitization pattern from a docs site that shouldn't model it.Verification
The new helper round-trips legitimate highlighted markup unchanged and fully strips the splice/nesting cases a single pass would leave behind (verified in isolation). Website source only; no
versioned_docstouched.