From d6bf8af6c40af31b3d8a4ccc59278bd9211919cd Mon Sep 17 00:00:00 2001
From: l5y <220195275+l5yth@users.noreply.github.com>
Date: Sat, 14 Feb 2026 15:06:59 +0100
Subject: [PATCH] Potential fix for code scanning alert no. 13: Incomplete
 multi-character sanitization

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 web/lib/potato_mesh/sanitizer.rb | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/web/lib/potato_mesh/sanitizer.rb b/web/lib/potato_mesh/sanitizer.rb
index a5b6a6c..5cb4ba2 100644
--- a/web/lib/potato_mesh/sanitizer.rb
+++ b/web/lib/potato_mesh/sanitizer.rb
@@ -256,9 +256,16 @@ module PotatoMesh
     def sanitize_rendered_html(html)
       value = html.to_s.dup
       previous = nil
-      value.gsub!(/\s+on[a-z]+\s*=\s*(?:"[^"]*"|'[^']*'|[^\s>]+)/mi, "")
-      # additional executable tags or attributes after substitution.
-      while previous != value
+      loop do
+        previous = value.dup
+        # Remove any event handler attributes with quoted values, e.g. onclick="..."
+        value.gsub!(/\s+on[a-z0-9_-]*\s*=\s*(['"]).*?\1/mi, "")
+        # Remove any event handler attributes with unquoted values, e.g. onclick=doSomething
+        value.gsub!(/\s+on[a-z0-9_-]*\s*=\s*[^\s>]+/mi, "")
+        # Strip dangerous href/src URL schemes such as javascript:, data:, or file:
+        value.gsub!(/\s+(href|src)\s*=\s*(['"])\s*(?:javascript|data|file):.*?\2/mi, "")
+        break if value == previous
+      end
         previous = value.dup
         value.gsub!(%r{<\s*(script|style|iframe|object|embed)[^>]*>.*?<\s*/\s*\1\s*>}mi, "")
         value.gsub!(/\s+on[a-z]+\s*=\s*(['"]).*?\1/mi, "")