Feature/sentry#21
Merged
Merged
Conversation
feruzm
approved these changes
Sep 21, 2024
9 tasks
feruzm
added a commit
that referenced
this pull request
May 20, 2026
Round 2 of fixes responding to automated PR review feedback. CodeQL (new alerts triggered by round 1): - get-pure-post-text + publish-validate-post + blog-post-page: after loop tag strip, also strip residual `<`/`>` so unclosed/truncated tags (e.g. ending `…<script` with no closing `>`) can't leave a `<script` or `<!--` substring in the output. Closes #141, #142. - api/import noscript path: replaced wrapper.innerHTML + regex strip with DOMParser.parseFromString (no script execution) + whitelisted-attribute migration of <img> elements only. Eliminates the innerHTML sink entirely and removes the need for the regex event-handler strip (which greptile flagged for missing /onerror-style slash-separated attributes). Closes #139, #140. Codex P2 + coderabbit #4: SAFE_IMG_SRC_RE accepted protocol-relative and root-relative URLs but rejected document-relative ones, and sanitize-html downstream only keeps http(s)://. Replaced with normalizeImgSrc(candidate, document.baseURI) that resolves every form (absolute, //protocol, /root, ./doc, plain.jpg) against the article's base URL and requires the absolute result be http(s). Recovered lazy images now survive the render-helper pass. Greptile #2: a.method href check inverted from blocklist (javascript:/data:/vbscript:/file:) to positive whitelist (https?/mailto/hive/tel/web+ext + relative forms). Less-common schemes (ms-its:, mk:, res:, intent:, etc.) now also rejected. Control-char strip widened to \f \v \0 in addition to \t \n \r. CodeRabbit: - twitter-extension + twitterEnhancer: also accept www.twitter.com and www.x.com (commonly shared with the www prefix). - profile-wallet-token-actions, profile-wallet-token-summary (×2), hive-engine-token-history: replaced (username as string) force-cast with typeof guard so an undefined param returns "" instead of throwing. - promote-post-setup: `.replace("@", "")` → `.replace(/@/g, "")` for consistency with the adjacent /%40/g. Skipped: - coderabbit autofix bot — not used. - video-upload-threespeak #21 (URL.createObjectURL blob) — same false positive call as before, dismiss in CodeQL UI. Tests: render-helper 1,072/1,072 green (covers the new a.method whitelist via 112 a.method.spec tests). Typecheck shows no new errors on touched files; the pre-existing TS errors in promote-post-setup, publish-validate-post and token-picker are unrelated and were present before this PR.
4 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Please don't forget about ENV variable for sentry and use own dsn in configs