Skip to content

Strip markdown comments from stringified commits#528

Merged
sorenlouv merged 1 commit intomainfrom
strip-markdown-comments
Feb 17, 2025
Merged

Strip markdown comments from stringified commits#528
sorenlouv merged 1 commit intomainfrom
strip-markdown-comments

Conversation

@sorenlouv
Copy link
Copy Markdown
Owner

@sorenlouv sorenlouv commented Feb 17, 2025

Follow up to #526

This strips markdown comments like <!-- markdown-comment --> in the stringified commit message {{commitsStringified}}

@sorenlouv sorenlouv enabled auto-merge (squash) February 17, 2025 14:13
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 17, 2025
View reviewed changes
src/lib/github/v3/getPullRequest/getPullRequestBody.ts
}

function stripMarkdownComments(str: string): string {
return str.replace(/<!--[\s\S]*?-->/g, '');

Check failure

Code scanning / CodeQL

Incomplete multi-character sanitization

This string may still contain [<!--](1), which may cause an HTML element injection vulnerability.

Copilot Autofix

AI about 1 year ago

To fix the problem, we need to ensure that all instances of the targeted pattern are removed, even if they appear consecutively or are nested. One effective way to achieve this is to apply the regular expression replacement repeatedly until no more replacements can be performed. This ensures that the unsafe text does not reappear in the sanitized input.

We will modify the stripMarkdownComments function to repeatedly apply the regular expression replacement until the input string no longer changes. This will ensure that all HTML comments are fully removed.

Suggested changeset 1
src/lib/github/v3/getPullRequest/getPullRequestBody.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/lib/github/v3/getPullRequest/getPullRequestBody.ts b/src/lib/github/v3/getPullRequest/getPullRequestBody.ts
--- a/src/lib/github/v3/getPullRequest/getPullRequestBody.ts
+++ b/src/lib/github/v3/getPullRequest/getPullRequestBody.ts
@@ -85,3 +85,8 @@
 function stripMarkdownComments(str: string): string {
-  return str.replace(/<!--[\s\S]*?-->/g, '');
+  let previous;
+  do {
+    previous = str;
+    str = str.replace(/<!--[\s\S]*?-->/g, '');
+  } while (str !== previous);
+  return str;
 }
EOF
@@ -85,3 +85,8 @@
function stripMarkdownComments(str: string): string {
return str.replace(/<!--[\s\S]*?-->/g, '');
let previous;
do {
previous = str;
str = str.replace(/<!--[\s\S]*?-->/g, '');
} while (str !== previous);
return str;
}
Copilot is powered by AI and may make mistakes. Always verify output.
@sorenlouv sorenlouv merged commit da50e9e into main Feb 17, 2025
@sorenlouv sorenlouv deleted the strip-markdown-comments branch February 17, 2025 14:16
@sorenlouv
Copy link
Copy Markdown
Owner Author

sorenlouv commented Feb 17, 2025

Released in https://github.com/sorenlouv/backport/releases/tag/v9.6.6

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sorenlouv @github-advanced-security