fix(Find): Replace single quotes in Finding’s html field
#36
Conversation
…ak single-quoted shell strings
There was a problem hiding this comment.
Pull Request Overview
This PR fixes an issue where single quotes in HTML content were breaking downstream workflows that use shell string interpolation with jq. The fix applies HTML entity encoding (') to single quotes across all Finding fields.
Key Changes
- Added single quote escaping to the previously unescaped
htmlfield - Standardized the escaping pattern across all fields from
'to'
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| html: violation.nodes[0].html, | ||
| problemShort: violation.help.toLowerCase().replace(/[']/g, '’'), | ||
| problemUrl: violation.helpUrl.replace(/[']/g, '’'), | ||
| html: violation.nodes[0].html.replace(/'/g, "'"), |
There was a problem hiding this comment.
The html field should use HTML entity encoding for all special characters, not just single quotes. Consider using a proper HTML escaping function to handle <, >, &, \", and ' to prevent potential XSS vulnerabilities or data corruption when the HTML is processed downstream.
There was a problem hiding this comment.
I'm open to this, but each of these specific examples is safe in a single-quoted shell string (where they are treated as string literals, not as shell operators, etc.)
Addresses #22 (that issue will remain open until this fix is backported to the v1 and v2 series)
This PR escapes single quotes in the
htmlfield (other fields were escaped already). This prevents findings for elements with single quotes (e.g.<p>Hi y'all!</p>) from breaking workflows, specifically around action.yml#86, where a single-quoted shell string is sent tojq.