From 03120224198d39e5c7f9460a6622d3c9d5df38e0 Mon Sep 17 00:00:00 2001 From: Leon van Zantvoort Date: Fri, 17 Jul 2026 01:19:25 +0200 Subject: [PATCH] fix(website): escape quotes in editor data-tag and data-file attributes The per-variant data-tag and data-file attributes were built with esc(), which escapes &<> but not the double quote that delimits the attribute (CodeQL js/incomplete-html-attribute-sanitization). Escape " to " as the adjacent data-copy already does; the sanitization is now complete. --- website/src/components/tutorial/tutorialTheme.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/src/components/tutorial/tutorialTheme.js b/website/src/components/tutorial/tutorialTheme.js index a65a132f9..a34e564f8 100644 --- a/website/src/components/tutorial/tutorialTheme.js +++ b/website/src/components/tutorial/tutorialTheme.js @@ -122,7 +122,7 @@ export function editor({file, tag, code, sql, copy, variants}) { const paneCopy = v.copy || (copy === true ? toPlain(v.code) : null); return `
${pane(v.code)}
`; + }${v.tag ? ` data-tag="${esc(v.tag).replace(/"/g, '"')}"` : ''}${v.file ? ` data-file="${esc(v.file).replace(/"/g, '"')}"` : ''}>${pane(v.code)}`; }) .join('') : `
${pane(code)}
`;