diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 1bea494a7be3..ec9ffd4c6ef9 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -28,6 +28,10 @@ jobs:
with:
ref: ${{ matrix.branch }}
+ - name: Get head SHA
+ id: get-head-sha
+ run: echo "SHA=$(git rev-parse origin/${{ matrix.branch }})" >> "$GITHUB_OUTPUT"
+
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
@@ -42,6 +46,8 @@ jobs:
uses: github/codeql-action/analyze@v2
with:
category: "/language:${{matrix.language}}"
+ ref: refs/heads/${{ matrix.branch }}
+ sha: ${{ steps.get-head-sha.outputs.SHA }}
fetch:
runs-on: devextreme-shr2
diff --git a/packages/devextreme/js/core/utils/string.js b/packages/devextreme/js/core/utils/string.js
index 0e43bdff1789..846791d0674c 100644
--- a/packages/devextreme/js/core/utils/string.js
+++ b/packages/devextreme/js/core/utils/string.js
@@ -73,7 +73,7 @@ export function format(template, ...values) {
export const replaceAll = (function() {
const quote = function(str) {
- return (str + '').replace(/([+*?.[^\]$(){}><|=!:])/g, '\\$1'); // lgtm[js/incomplete-sanitization]
+ return (str + '').replace(/([\\+*?.[^\]$(){}><|=!:])/g, '\\$1');
};
return function(text, searchToken, replacementToken) {
diff --git a/packages/devextreme/js/localization/ldml/number.js b/packages/devextreme/js/localization/ldml/number.js
index 4407c7af6c93..180e103fa70d 100644
--- a/packages/devextreme/js/localization/ldml/number.js
+++ b/packages/devextreme/js/localization/ldml/number.js
@@ -210,7 +210,7 @@ function getFormatByValueText(valueText, formatter, isPercent, isNegative) {
format = format.replace(/1+/, '1').replace(/1/g, '#');
if(!isPercent) {
- format = format.replace('%', '\'%\''); // lgtm[js/incomplete-sanitization]
+ format = format.replace(/%/g, '\'%\'');
}
return format;
diff --git a/packages/devextreme/testing/tests/DevExpress.core/utils.string.tests.js b/packages/devextreme/testing/tests/DevExpress.core/utils.string.tests.js
index 0490ce619620..1672eb308750 100644
--- a/packages/devextreme/testing/tests/DevExpress.core/utils.string.tests.js
+++ b/packages/devextreme/testing/tests/DevExpress.core/utils.string.tests.js
@@ -7,6 +7,7 @@ QUnit.test('replace all case insensitive', function(assert) {
assert.strictEqual(stringUtils.replaceAll('test sentence', 'test', '$1'), 'test sentence', 'replacement token $1');
assert.strictEqual(stringUtils.replaceAll('Test sentence', 'test', '$1'), 'Test sentence', 'Replacement for different case');
assert.strictEqual(stringUtils.replaceAll('Test sentence test', 'test', '$1'), 'Test sentence test', 'Multiple replacements');
+ assert.strictEqual(stringUtils.replaceAll('test sentence', 'test', '\\$1\\'), '\\test\\ sentence', 'backslash escaped correctly');
});
QUnit.test('stringFormat', function(assert) {