iarv/potato-mesh
1
0
Fork 1
mirror of https://github.com/l5yth/potato-mesh.git synced 2026-03-28 17:42:48 +01:00
Code Issues Packages Projects Releases Wiki Activity

Potential fix for code scanning alert no. 11: Incomplete multi-character sanitization

Browse Source 
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
This commit is contained in:
l5y
2026-02-14 15:06:29 +01:00
committed by GitHub
parent ef8ab344bf
commit 66fe3bb923
1 changed files with 11 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
web/lib/potato_mesh/sanitizer.rb
View File

@@ -255,10 +255,17 @@ module PotatoMesh
# @return [String] sanitized HTML safe for rendering in templates.
def sanitize_rendered_html(html)
value = html.to_s.dup
value.gsub!(%r{<\s*(script|style|iframe|object|embed)[^>]*>.*?<\s*/\s*\1\s*>}mi, "")
value.gsub!(/\s+on[a-z]+\s*=\s*(['"]).*?\1/mi, "")
value.gsub!(/\s+on[a-z]+\s*=\s*[^\s>]+/mi, "")
value.gsub!(/\s+(href|src)\s*=\s*(['"])\s*(?:javascript|data|file):.*?\2/mi, "")
previous = nil
# Repeatedly apply the sanitization patterns until the content stabilizes.
# This avoids incomplete removal when multi-character matches expose
# additional executable tags or attributes after substitution.
while previous != value
previous = value.dup
value.gsub!(%r{<\s*(script|style|iframe|object|embed)[^>]*>.*?<\s*/\s*\1\s*>}mi, "")
value.gsub!(/\s+on[a-z]+\s*=\s*(['"]).*?\1/mi, "")
value.gsub!(/\s+on[a-z]+\s*=\s*[^\s>]+/mi, "")
value.gsub!(/\s+(href|src)\s*=\s*(['"])\s*(?:javascript|data|file):.*?\2/mi, "")
end
value
end
end