Skip to content

Stricter html string check #639

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Aug 4, 2025
Merged

Stricter html string check #639

merged 3 commits into from
Aug 4, 2025

Conversation

wxiaoguang
Copy link
Contributor

Fix #638

/^\s*<[a-zA-Z]/.test(" \n\t<a") => true

The real world case is like this:

const s = `
  <div ...>
   ...
  </div>
`;

@Copilot Copilot AI review requested due to automatic review settings June 30, 2025 11:09
@wxiaoguang wxiaoguang requested a review from a team as a code owner June 30, 2025 11:09
@wxiaoguang wxiaoguang requested a review from arelia June 30, 2025 11:09
Copilot
Copilot AI reviewed Jun 30, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR ensures that HTML literal strings correctly handle leading whitespace by updating the regex match pattern.

  • Updated regex in unescaped-html-literal.js to allow for preceding whitespace before an HTML tag.
  • Fixes potential false negatives in matching real-world HTML snippets.
Comments suppressed due to low confidence (1)

lib/rules/unescaped-html-literal.js:18

  • Consider adding a comment explaining that the updated regex now supports leading whitespace before an HTML tag to aid future maintainability.
    const htmlOpenTag = /^\s*<[a-zA-Z]/

@wxiaoguang
Copy link
Contributor Author

ping @manuelpuyol (I see you are maintaining this project 🙏 )

@wxiaoguang
Copy link
Contributor Author

Also cc @jibrang and @manuelpuyol

What do you think about this change? I think it is important to handle this edge case, otherwise there could still be HTML abuses or even XSS.

arelia
arelia approved these changes Aug 4, 2025
View reviewed changes
Copy link
Contributor

@arelia arelia left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good! thank you for the contribution!

@arelia arelia merged commit d6e9d33 into github:main Aug 4, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@arelia arelia arelia approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Make unescaped-html-literal more strict
2 participants
@wxiaoguang @arelia
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy