Skip to content

fix(website): escape backslashes in file paths to prevent string context breakout#638

Merged
aaronpowell merged 3 commits intoexperiment/github-pages-websitefrom
copilot/sub-pr-637
Feb 2, 2026
Merged

fix(website): escape backslashes in file paths to prevent string context breakout#638
aaronpowell merged 3 commits intoexperiment/github-pages-websitefrom
copilot/sub-pr-637

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Feb 2, 2026
edited
Loading

Pull Request Checklist

  • I have read and followed the CONTRIBUTING.md guidelines.
  • My contribution adds a new instruction, prompt, agent, or skill file in the correct directory.
  • The file follows the required naming convention.
  • The content is clearly structured and follows the example format.
  • I have tested my instructions, prompt, agent, or skill with GitHub Copilot.
  • I have run npm start and verified that README.md is up to date.

Description

Addresses CodeQL alert #26: incomplete string escaping in getActionButtonsHtml(). File paths containing backslashes could break out of the JavaScript string literal in onclick attributes.

Before:

const escapedPath = filePath.replace(/'/g, "\\'");
// Input: "path\to\file's.txt" → "path\to\file\'s.txt" ❌ Backslash not escaped

After:

const escapedPath = filePath.replace(/\\/g, '\\\\').replace(/'/g, "\\'");
// Input: "path\to\file's.txt" → "path\\to\\file\'s.txt" ✅ Both escaped

Escaping order matters: backslashes first, then quotes.

Type of Contribution

  • New instruction file.
  • New prompt file.
  • New agent file.
  • New collection file.
  • New skill file.
  • Update to existing instruction, prompt, agent, collection or skill.
  • Other (please specify):

Additional Notes

CodeQL validation confirms zero security alerts. Addresses review feedback from #637.

By submitting this pull request, I confirm that my contribution abides by the Code of Conduct and will be licensed under the MIT License.

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI mentioned this pull request Feb 2, 2026
Merged
13 tasks
Copilot AI and others added 2 commits February 2, 2026 05:05
@aaronpowell
fix(website): properly escape backslashes and quotes in file paths
fb5f22a 
The previous implementation only escaped single quotes, which could allow
backslashes in file paths to break out of the JavaScript string context.
Now we escape backslashes first (\ -> \\), then single quotes (' -> \'),
preventing potential security issues.

Fixes CodeQL alert #26 for incomplete string escaping.

Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>
@aaronpowell
Improve comment clarity for string escaping fix
9e44173 
Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>
Copilot AI changed the title [WIP] WIP to address feedback from review on website pull request fix(website): escape backslashes in file paths to prevent string context breakout Feb 2, 2026
Copilot AI requested a review from aaronpowell February 2, 2026 05:08
@aaronpowell aaronpowell marked this pull request as ready for review February 2, 2026 05:09
Copilot AI review requested due to automatic review settings February 2, 2026 05:09
@aaronpowell aaronpowell merged commit a424744 into experiment/github-pages-website Feb 2, 2026
@aaronpowell aaronpowell deleted the copilot/sub-pr-637 branch February 2, 2026 05:09
Copilot AI reviewed Feb 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request addresses a security vulnerability (CodeQL alert #26) by fixing incomplete string escaping in the getActionButtonsHtml() function. File paths containing backslashes could previously break out of JavaScript string literals in onclick attributes, creating a potential code injection risk.

Changes:

  • Added proper backslash escaping before single quote escaping in getActionButtonsHtml()
  • Added explanatory comment documenting the escaping order and purpose

mdabdullahalaminkhan
mdabdullahalaminkhan reviewed Feb 2, 2026
View reviewed changes
Copy link
Copy Markdown

@mdabdullahalaminkhan mdabdullahalaminkhan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@aaronpowell aaronpowell Awaiting requested review from aaronpowell

+1 more reviewer

@mdabdullahalaminkhan mdabdullahalaminkhan mdabdullahalaminkhan left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@aaronpowell aaronpowell

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mdabdullahalaminkhan @aaronpowell