Skip to content

fix(website): complete HTML attribute escaping in the editor component#279

Merged
zantvoort merged 1 commit into
mainfrom
fix/html-attribute-escaping
Jul 16, 2026
Merged

fix(website): complete HTML attribute escaping in the editor component#279
zantvoort merged 1 commit into
mainfrom
fix/html-attribute-escaping

Conversation

@zantvoort

Copy link
Copy Markdown
Collaborator

Resolves the two CodeQL js/incomplete-html-attribute-sanitization alerts (medium) in website/src/components/tutorial/tutorialTheme.js.

The per-variant data-tag and data-file attributes on code blocks were built with esc(), which escapes &, <, > but not the " that delimits the attribute. Escape " to &quot;, matching the adjacent data-copy attribute.

In practice these values are static (Kotlin/Java, filenames), so there is no exploitable injection; this completes the sanitization pattern and clears the alerts.

The per-variant data-tag and data-file attributes were built with esc(),
which escapes &<> but not the double quote that delimits the attribute
(CodeQL js/incomplete-html-attribute-sanitization). Escape " to &quot; as
the adjacent data-copy already does; the sanitization is now complete.
@zantvoort
zantvoort merged commit 4ecc29a into main Jul 16, 2026
6 checks passed
@zantvoort
zantvoort deleted the fix/html-attribute-escaping branch July 16, 2026 23:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant