From fb5f22a6b27980a9096bf6c8496afee45d1cb063 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 2 Feb 2026 05:05:42 +0000
Subject: [PATCH] fix(website): properly escape backslashes and quotes in file
 paths

The previous implementation only escaped single quotes, which could allow
backslashes in file paths to break out of the JavaScript string context.
Now we escape backslashes first (\ -> \\), then single quotes (' -> \'),
preventing potential security issues.

Fixes CodeQL alert #26 for incomplete string escaping.

Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>
---
 website/src/scripts/utils.ts | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/website/src/scripts/utils.ts b/website/src/scripts/utils.ts
index 7e1f861b..07f54d3d 100644
--- a/website/src/scripts/utils.ts
+++ b/website/src/scripts/utils.ts
@@ -298,7 +298,8 @@ export function setupDropdownCloseHandlers(): void {
 export function getActionButtonsHtml(filePath: string, small = false): string {
   const btnClass = small ? 'btn-small' : '';
   const iconSize = small ? 14 : 16;
-  const escapedPath = filePath.replace(/'/g, "\\'");
+  // Escape backslashes first, then single quotes to prevent breaking out of string context
+  const escapedPath = filePath.replace(/\\/g, '\\\\').replace(/'/g, "\\'");
   
   return `
     <button class="btn btn-secondary ${btnClass} action-download" data-path="${escapeHtml(filePath)}" onclick="event.stopPropagation(); window.__downloadFile && window.__downloadFile('${escapedPath}')" title="Download file">