Skip to content

Commit

Permalink
Fix code scanning alert no. 26: Incomplete multi-character sanitization
Browse files Browse the repository at this point in the history 
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
  • Loading branch information
@Jonhvmp @github-advanced-security
Jonhvmp and github-advanced-security[bot] authored Dec 7, 2024
1 parent fb4d9cc commit 133372f
Showing 1 changed file with 5 additions and 1 deletion.
6 changes: 5 additions & 1 deletion backend/src/models/Snippet.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -85,7 +85,11 @@ SnippetSchema.pre<ISnippet>('save', function (next) {
this.code = this.code.replace(/</g, '&lt;').replace(/>/g, '&gt;');

// Remover atributos perigosos
this.code = this.code.replace(/on\w+="[^"]*"/g, '').replace(/on\w+='[^']*'/g, '');
let previousCode;
do {
previousCode = this.code;
this.code = this.code.replace(/on\w+="[^"]*"/g, '').replace(/on\w+='[^']*'/g, '');

Check failure

Code scanning / CodeQL

Incomplete multi-character sanitization High

This string may still contain
on
Loading
, which may cause an HTML attribute injection vulnerability.

Check failure

Code scanning / CodeQL

Incomplete multi-character sanitization High

This string may still contain
on
Loading
, which may cause an HTML attribute injection vulnerability.
} while (this.code !== previousCode);

// Remover URLs perigosas em estilos inline
this.code = this.code.replace(/style\s*=\s*["'][^"']*(javascript|data|vbscript):[^"']*["']/gi, 'style=""');
Expand Down

0 comments on commit 133372f

Please sign in to comment.