Awesome/awesome-copilot
1
0
Fork 0
mirror of https://github.com/github/awesome-copilot.git synced 2026-02-20 10:25:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #638 from github/copilot/sub-pr-637

Browse Source 
fix(website): escape backslashes in file paths to prevent string context breakout
This commit is contained in:
Aaron Powell
2026-02-02 16:09:09 +11:00
committed by GitHub
parent 611474f980 9e44173f94
commit a424744226
1 changed files with 2 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
website/src/scripts/utils.ts
View File

@@ -298,7 +298,8 @@ export function setupDropdownCloseHandlers(): void {
export function getActionButtonsHtml(filePath: string, small = false): string {
const btnClass = small ? 'btn-small' : '';
const iconSize = small ? 14 : 16;
const escapedPath = filePath.replace(/'/g, "\\'");
// Escape backslashes first, then single quotes to prevent breaking out of the JavaScript string literal in the onclick attribute
const escapedPath = filePath.replace(/\\/g, '\\\\').replace(/'/g, "\\'");
return `
<button class="btn btn-secondary ${btnClass} action-download" data-path="${escapeHtml(filePath)}" onclick="event.stopPropagation(); window.__downloadFile && window.__downloadFile('${escapedPath}')" title="Download file">