Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Strip markdown comments from stringified commits #528

Merged
merged 1 commit into from
Feb 17, 2025
Merged

Strip markdown comments from stringified commits #528

merged 1 commit into from
Feb 17, 2025

Conversation

sorenlouv
Copy link
Owner

Follow up to #526

This strips markdown comments like <!-- markdown-comment --> in the stringified commit message {{commitsStringified}}

@sorenlouv sorenlouv enabled auto-merge (squash) February 17, 2025 14:13
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 17, 2025
View reviewed changes
src/lib/github/v3/getPullRequest/getPullRequestBody.ts
@@ -79,3 +81,7 @@
.replaceAll('{{{{/raw}}}}', '');
}
}

function stripMarkdownComments(str: string): string {
return str.replace(/<!--[\s\S]*?-->/g, '');

Check failure

Code scanning / CodeQL

Incomplete multi-character sanitization High

This string may still contain
<!--
Loading
, which may cause an HTML element injection vulnerability.

Copilot Autofix AI 14 days ago

To fix the problem, we need to ensure that all instances of the targeted pattern are removed, even if they appear consecutively or are nested. One effective way to achieve this is to apply the regular expression replacement repeatedly until no more replacements can be performed. This ensures that the unsafe text does not reappear in the sanitized input.

We will modify the stripMarkdownComments function to repeatedly apply the regular expression replacement until the input string no longer changes. This will ensure that all HTML comments are fully removed.

Suggested changeset 1
src/lib/github/v3/getPullRequest/getPullRequestBody.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/lib/github/v3/getPullRequest/getPullRequestBody.ts b/src/lib/github/v3/getPullRequest/getPullRequestBody.ts
--- a/src/lib/github/v3/getPullRequest/getPullRequestBody.ts
+++ b/src/lib/github/v3/getPullRequest/getPullRequestBody.ts
@@ -85,3 +85,8 @@
 function stripMarkdownComments(str: string): string {
-  return str.replace(/<!--[\s\S]*?-->/g, '');
+  let previous;
+  do {
+    previous = str;
+    str = str.replace(/<!--[\s\S]*?-->/g, '');
+  } while (str !== previous);
+  return str;
 }
EOF
@@ -85,3 +85,8 @@
function stripMarkdownComments(str: string): string {
return str.replace(/<!--[\s\S]*?-->/g, '');
let previous;
do {
previous = str;
str = str.replace(/<!--[\s\S]*?-->/g, '');
} while (str !== previous);
return str;
}
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
@sorenlouv sorenlouv merged commit da50e9e into main Feb 17, 2025
2 of 3 checks passed
@sorenlouv sorenlouv deleted the strip-markdown-comments branch February 17, 2025 14:16
@sorenlouv
Copy link
Owner Author

Released in https://github.com/sorenlouv/backport/releases/tag/v9.6.6

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@sorenlouv