Skip to content

Master api docs improvements#15

Merged
rwsdwatson merged 6 commits intomasterfrom
master_api_docs_improvements
Apr 2, 2025
Merged

Master api docs improvements#15
rwsdwatson merged 6 commits intomasterfrom
master_api_docs_improvements

Conversation

@Impertatore
Copy link
Collaborator

@Impertatore Impertatore commented Apr 2, 2025

No description provided.

github-advanced-security[bot]
github-advanced-security bot found potential problems Apr 2, 2025
View reviewed changes
RWSTemplate/styles/docfx.js
var itemBrief = extractContentBrief(hit.summary || '');

var itemNode = $('<div>').attr('class', 'sr-item');
var itemTitleNode = $('<div>').attr('class', 'item-title').append($('<a>').attr('href', itemHref).attr("target", "_blank").attr("rel", "noopener noreferrer").text(itemTitle));

Check failure

Code scanning / CodeQL

DOM text reinterpreted as HTML High

DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.
RWSTemplate/styles/docfx.js
}
event.preventDefault();
info.anchor.href = 'javascript:';
setTimeout(function () { return info.anchor.href = '#' + info.anchor.getAttribute('aria-controls'); });

Check failure

Code scanning / CodeQL

DOM text reinterpreted as HTML High

DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.

Copilot Autofix

AI 11 months ago

To fix the problem, we need to ensure that the value of the aria-controls attribute is properly sanitized before it is used. One way to do this is to use a function that escapes any potentially dangerous characters. This will prevent any malicious content from being interpreted as HTML.

We will create a utility function to escape HTML characters and use this function to sanitize the value of the aria-controls attribute before using it.

Suggested changeset 1
RWSTemplate/styles/docfx.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/RWSTemplate/styles/docfx.js b/RWSTemplate/styles/docfx.js
--- a/RWSTemplate/styles/docfx.js
+++ b/RWSTemplate/styles/docfx.js
@@ -3,2 +3,10 @@
 $(function () {
+  function escapeHtml(unsafe) {
+    return unsafe
+      .replace(/&/g, "&amp;")
+      .replace(/</g, "&lt;")
+      .replace(/>/g, "&gt;")
+      .replace(/"/g, "&quot;")
+      .replace(/'/g, "&#039;");
+  }
   var active = 'active';
@@ -917,3 +925,3 @@
       info.anchor.href = 'javascript:';
-      setTimeout(function () { return info.anchor.href = '#' + info.anchor.getAttribute('aria-controls'); });
+      setTimeout(function () { return info.anchor.href = '#' + escapeHtml(info.anchor.getAttribute('aria-controls')); });
       var tabIds = info.tabIds, group = info.group;
EOF
@@ -3,2 +3,10 @@
$(function () {
function escapeHtml(unsafe) {
return unsafe
.replace(/&/g, "&amp;")
.replace(/</g, "&lt;")
.replace(/>/g, "&gt;")
.replace(/"/g, "&quot;")
.replace(/'/g, "&#039;");
}
var active = 'active';
@@ -917,3 +925,3 @@
info.anchor.href = 'javascript:';
setTimeout(function () { return info.anchor.href = '#' + info.anchor.getAttribute('aria-controls'); });
setTimeout(function () { return info.anchor.href = '#' + escapeHtml(info.anchor.getAttribute('aria-controls')); });
var tabIds = info.tabIds, group = info.group;
Copilot is powered by AI and may make mistakes. Always verify output.
@rwsdwatson rwsdwatson merged commit bee2ac2 into master Apr 2, 2025
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@wyrdfish wyrdfish

@rwsdwatson rwsdwatson

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Impertatore @wyrdfish @rwsdwatson

Comments