Update documentation #250

cjlapao · 2024-12-10T10:45:06Z

No description provided.

docs/docs/github-actions/assets/js/app.js

+		$el.each(function(i) {
+			var title = $(this).attr('title');
+			if (title) {
+				$insert.append("<li class=\"tab\"><a href=\"#\">" + title + "</a></li>");


To fix the problem, we need to ensure that the title attribute is properly escaped before being inserted into the HTML string. This can be done using a utility function that escapes special HTML characters. We will create a function to escape the title attribute and use it in the listLanguages function.

docs/docs/github-actions/docs/github-actions/assets/js/app.js

+		$el.each(function(i) {
+			var title = $(this).attr('title');
+			if (title) {
+				$insert.append("<li class=\"tab\"><a href=\"#\">" + title + "</a></li>");


To fix the problem, we need to ensure that the title attribute is properly escaped before being inserted into the HTML. This can be achieved by using a function that escapes special HTML characters, preventing any potential XSS attacks.

The best way to fix this without changing existing functionality is to create a utility function that escapes HTML characters and use it to sanitize the title attribute before concatenating it into the HTML string.

Update documentation files

a196fb2

cjlapao requested review from alevlasu, bineesh-n and polonius as code owners December 10, 2024 10:45

boring-cyborg bot added the documentation Improvements or additions to documentation label Dec 10, 2024

cjlapao added this to the 0.9.12 milestone Dec 10, 2024

github-advanced-security bot found potential problems Dec 10, 2024

View reviewed changes

cjlapao closed this Dec 10, 2024

@@ -110,2 +110,13 @@
+            	function escapeHtml(text) {
+            	    var map = {
+            	        '&': '&amp;',
+            	        '<': '&lt;',
+            	        '>': '&gt;',
+            	        '"': '&quot;',
+            	        "'": '&#039;'
+            	    };
+            	    return text.replace(/[&<>"']/g, function(m) { return map[m]; });
+            	}
             	function listLanguages($el, $insert) {
@@ -114,3 +125,3 @@
             			if (title) {
-            				$insert.append("<li class=\"tab\"><a href=\"#\">" + title + "</a></li>");
+            				$insert.append("<li class=\"tab\"><a href=\"#\">" + escapeHtml(title) + "</a></li>");
             			}

@@ -110,2 +110,17 @@
+            	function escapeHtml(text) {
+            		return text.replace(/[&<>"'`=\/]/g, function (s) {
+            			return ({
+            				'&': '&amp;',
+            				'<': '&lt;',
+            				'>': '&gt;',
+            				'"': '&quot;',
+            				"'": '&#39;',
+            				'/': '&#x2F;',
+            				'`': '&#x60;',
+            				'=': '&#x3D;'
+            			})[s];
+            		});
+            	}
             	function listLanguages($el, $insert) {
@@ -114,3 +129,3 @@
             			if (title) {
-            				$insert.append("<li class=\"tab\"><a href=\"#\">" + title + "</a></li>");
+            				$insert.append("<li class=\"tab\"><a href=\"#\">" + escapeHtml(title) + "</a></li>");
             			}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update documentation #250

Update documentation #250

cjlapao commented Dec 10, 2024

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Update documentation #250

Update documentation #250

Conversation

cjlapao commented Dec 10, 2024