Awesome/awesome-copilot
1
0
Fork 0
mirror of https://github.com/github/awesome-copilot.git synced 2026-02-20 02:15:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(website): properly escape backslashes and quotes in file paths

Browse Source 
The previous implementation only escaped single quotes, which could allow
backslashes in file paths to break out of the JavaScript string context.
Now we escape backslashes first (\ -> \\), then single quotes (' -> \'),
preventing potential security issues.

Fixes CodeQL alert #26 for incomplete string escaping.

Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot]
2026-02-02 05:05:42 +00:00
parent 8b9fa465f6
commit fb5f22a6b2
1 changed files with 2 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
website/src/scripts/utils.ts
View File

@@ -298,7 +298,8 @@ export function setupDropdownCloseHandlers(): void {
export function getActionButtonsHtml(filePath: string, small = false): string {
const btnClass = small ? 'btn-small' : '';
const iconSize = small ? 14 : 16;
const escapedPath = filePath.replace(/'/g, "\\'");
// Escape backslashes first, then single quotes to prevent breaking out of string context
const escapedPath = filePath.replace(/\\/g, '\\\\').replace(/'/g, "\\'");
return `
<button class="btn btn-secondary ${btnClass} action-download" data-path="${escapeHtml(filePath)}" onclick="event.stopPropagation(); window.__downloadFile && window.__downloadFile('${escapedPath}')" title="Download file">