From 66fe3bb92309a36a7fd100a97a50f63da9f50eac Mon Sep 17 00:00:00 2001
From: l5y <220195275+l5yth@users.noreply.github.com>
Date: Sat, 14 Feb 2026 15:06:29 +0100
Subject: [PATCH] Potential fix for code scanning alert no. 11: Incomplete
 multi-character sanitization

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 web/lib/potato_mesh/sanitizer.rb | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/web/lib/potato_mesh/sanitizer.rb b/web/lib/potato_mesh/sanitizer.rb
index 10cea36..9f068d0 100644
--- a/web/lib/potato_mesh/sanitizer.rb
+++ b/web/lib/potato_mesh/sanitizer.rb
@@ -255,10 +255,17 @@ module PotatoMesh
     # @return [String] sanitized HTML safe for rendering in templates.
     def sanitize_rendered_html(html)
       value = html.to_s.dup
-      value.gsub!(%r{<\s*(script|style|iframe|object|embed)[^>]*>.*?<\s*/\s*\1\s*>}mi, "")
-      value.gsub!(/\s+on[a-z]+\s*=\s*(['"]).*?\1/mi, "")
-      value.gsub!(/\s+on[a-z]+\s*=\s*[^\s>]+/mi, "")
-      value.gsub!(/\s+(href|src)\s*=\s*(['"])\s*(?:javascript|data|file):.*?\2/mi, "")
+      previous = nil
+      # Repeatedly apply the sanitization patterns until the content stabilizes.
+      # This avoids incomplete removal when multi-character matches expose
+      # additional executable tags or attributes after substitution.
+      while previous != value
+        previous = value.dup
+        value.gsub!(%r{<\s*(script|style|iframe|object|embed)[^>]*>.*?<\s*/\s*\1\s*>}mi, "")
+        value.gsub!(/\s+on[a-z]+\s*=\s*(['"]).*?\1/mi, "")
+        value.gsub!(/\s+on[a-z]+\s*=\s*[^\s>]+/mi, "")
+        value.gsub!(/\s+(href|src)\s*=\s*(['"])\s*(?:javascript|data|file):.*?\2/mi, "")
+      end
       value
     end
   end