Skip to content

Potential fix for code scanning alert no. 12: Incomplete multi-character sanitization #11

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
EthanThePhoenix38 merged 2 commits into from
Jan 8, 2026
Merged

Potential fix for code scanning alert no. 12: Incomplete multi-character sanitization #11

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
bb179be
Potential fix for code scanning alert no. 12: Incomplete multi-charac…
EthanThePhoenix38 Jan 8, 2026
a19303c
Merge branch 'main' into alert-autofix-12
EthanThePhoenix38 Jan 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 22 additions & 0 deletions src/aggregator.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,8 +75,30 @@ function smartTruncate(text, maxLength = 500) {
return truncated.trim() + '...';
}

/**
* HTML-escape a string so it is safe to insert into HTML contexts.
* Converts &, <, and > to their corresponding entities.
* @param {string} input
* @returns {string}
*/
function htmlEscape(input) {
if (!input) {
return '';
}
return input
.replace(/&/g, '&amp;')
.replace(/</g, '&lt;')
.replace(/>/g, '&gt;');
}

// Sanitize and process articles
function sanitizeArticle(article, sourceName, tags, category) {
const rawSummary = htmlEscape(
article.contentSnippet?.replace(/<[^>]*>/g, '') || ''
);

return {
title: htmlEscape(article.title?.replace(/<[^>]*>/g, '') || '').slice(0, 200) || 'Untitled',
Comment on lines +78 to +101
Copy link

Copilot AI Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HTML-escaping the title and summary at the data layer causes issues in multiple contexts where the data is used:

  1. Markdown generation (line 199-201): HTML entities like &lt;, &gt;, and &amp; will appear as literal text in the generated README markdown, making content harder to read.

  2. LinkedIn posts (line 249): If re-enabled, the LinkedIn API would receive HTML entities in the post text, which would be displayed to users as &lt; instead of <.

  3. Reader HTML (reader.html:469): Uses textContent to insert the title, which means HTML entities would be double-escaped and shown to users literally.

  4. Stats HTML (stats.html:436): Uses DOMPurify which expects raw text, not pre-escaped text, leading to visible entities.

The original regex-based sanitization approach (removing HTML tags) was more appropriate for this use case. If HTML injection is a concern, it should be addressed at the presentation layer (where it's already done with DOMPurify and textContent), not at the data storage layer. Consider reverting the htmlEscape calls and relying on the existing output-side protections.

Suggested change
/**
* HTML-escape a string so it is safe to insert into HTML contexts.
* Converts &, <, and > to their corresponding entities.
* @param {string} input
* @returns {string}
*/
function htmlEscape(input) {
if (!input) {
return '';
}
return input
.replace(/&/g, '&amp;')
.replace(/</g, '&lt;')
.replace(/>/g, '&gt;');
}
// Sanitize and process articles
function sanitizeArticle(article, sourceName, tags, category) {
const rawSummary = htmlEscape(
article.contentSnippet?.replace(/<[^>]*>/g, '') || ''
);
return {
title: htmlEscape(article.title?.replace(/<[^>]*>/g, '') || '').slice(0, 200) || 'Untitled',
// Note: HTML escaping is intentionally handled at the presentation layer
// (e.g., via textContent and DOMPurify). At the data layer we only strip
// HTML tags (see sanitizeText) and keep the underlying text unescaped.
// Sanitize and process articles
function sanitizeArticle(article, sourceName, tags, category) {

Copilot uses AI. Check for mistakes.
const rawSummary = sanitizeText(article.contentSnippet) || '';

return {
Expand Down