-
-
Notifications
You must be signed in to change notification settings - Fork 1
Potential fix for code scanning alert no. 11: Incomplete multi-character sanitization #12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||||
|---|---|---|---|---|---|---|---|---|
|
|
@@ -7,6 +7,7 @@ | |||||||
| "dompurify": "^3.3.1", | ||||||||
| "express": "^5.2.1", | ||||||||
| "isomorphic-dompurify": "^2.35.0", | ||||||||
| "rss-parser": "^3.13.0" | ||||||||
| "rss-parser": "^3.13.0", | ||||||||
| "sanitize-html": "^2.17.0" | ||||||||
|
Comment on lines
+10
to
+11
|
||||||||
| "rss-parser": "^3.13.0", | |
| "sanitize-html": "^2.17.0" | |
| "rss-parser": "^3.13.0" |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -2,6 +2,7 @@ | |
| const Parser = require('rss-parser'); | ||
| const axios = require('axios'); | ||
| const { Octokit } = require('@octokit/rest'); | ||
| const sanitizeHtml = require('sanitize-html'); | ||
|
||
|
|
||
| const parser = new Parser({ | ||
| timeout: 10000, | ||
|
|
@@ -28,6 +29,17 @@ function addUTMParams(url, category = 'general') { | |
| return url.includes('?') ? `${url}&${utmParams}` : `${url}?${utmParams}`; | ||
| } | ||
|
|
||
| // Robust HTML sanitization: strip all tags and unsafe content | ||
| function sanitizeText(input) { | ||
| if (!input) { | ||
| return ''; | ||
| } | ||
| return sanitizeHtml(input, { | ||
| allowedTags: [], | ||
| allowedAttributes: {}, | ||
| }); | ||
| } | ||
|
|
||
| /** | ||
| * Smart truncate: cut at last punctuation before limit | ||
| * Avoids cutting words in the middle | ||
|
|
@@ -65,10 +77,10 @@ function smartTruncate(text, maxLength = 500) { | |
|
|
||
| // Sanitize and process articles | ||
| function sanitizeArticle(article, sourceName, tags, category) { | ||
| const rawSummary = article.contentSnippet?.replace(/<[^>]*>/g, '') || ''; | ||
| const rawSummary = sanitizeText(article.contentSnippet) || ''; | ||
|
|
||
| return { | ||
| title: article.title?.replace(/<[^>]*>/g, '').slice(0, 200) || 'Untitled', | ||
| title: (sanitizeText(article.title) || 'Untitled').slice(0, 200), | ||
| link: addUTMParams(article.link, category), // UTM tracks traffic FROM AI-Pulse | ||
| pubDate: new Date(article.pubDate || Date.now()), | ||
| source: sourceName, | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This commit adds
sanitize-htmltopackage.jsonbut does not updatepackage-lock.json. In any environment that installs dependencies via the lockfile (e.g.,npm ciin CI/CD or deployments),sanitize-htmlwill not be installed and the newrequire('sanitize-html')insrc/aggregator.jswill throwMODULE_NOT_FOUNDat runtime. Please regenerate the lockfile so it includes the new dependency.Useful? React with 👍 / 👎.