fix: decode named invisible-char HTML entities in decodeHtmlEntities to close @mention bypass

[Copilot]

Bug Fix

What was the bug?

decodeHtmlEntities decoded numeric invisible-character entities (­, ­) but not their named equivalents (­, ‌, ‍, ‎, ‏, etc.). Because hardenUnicodeText Step 3 strips actual Unicode code points, named entities survived the pipeline as literal &...; text. neutralizeAllMentions then failed to match @­victim — & is not in [A-Za-z0-9] — so the mention passed through unsanitized. GitHub renders the entity on display, resulting in a live @victim notification trigger.

How did you fix it?

Extended decodeHtmlEntities (after the & block) with replace calls for every named entity whose code point is stripped by Steps 3–4 of hardenUnicodeText, including double-encoded variants (­ etc.):

Named entity	Aliases	Code point
­	—	U+00AD soft hyphen
‌	—	U+200C zero-width non-joiner
‍	—	U+200D zero-width joiner
‎	—	U+200E left-to-right mark
‏	—	U+200F right-to-left mark
​	—	U+200B zero-width space
⁠	—	U+2060 word joiner
⁡	⁡	U+2061 invisible function application
⁢	⁢	U+2062 invisible times
⁣	⁣	U+2063 invisible separator

After decoding, the real code points hit Step 3's strip regex and the resulting bare @victim is neutralized normally:

// Before fix
sanitizeContentCore('@­victim say hi')
// → '@­victim say hi'  ← bypassed

// After fix
sanitizeContentCore('@­victim say hi')
// → '`@victim` say hi'  ← neutralized

Testing

Added 15 regression tests in sanitize_content.test.cjs covering each new named entity form (including case-insensitive variants and multi-entity combinations).

[Copilot]

Pull request overview

This PR closes an @mention neutralization bypass where named HTML entities for invisible/formatting characters (e.g., ­, ‌, ‎) could survive sanitization and render as live mentions on GitHub.

Changes:

• Extend decodeHtmlEntities to decode named invisible/formatting entities (and their &...; forms) into real Unicode code points so hardenUnicodeText can strip them.
• Add regression tests ensuring @&name;user inputs are neutralized after sanitization.
• Update dependabot locked workflows to derive the Docker socket path from DOCKER_HOST for improved compatibility.

Show a summary per file

File	Description
actions/setup/js/sanitize_content_core.cjs	Adds decoding for named invisible-character entities to prevent @mention bypass.
actions/setup/js/sanitize_content.test.cjs	Adds regression coverage for named-entity @mention bypass cases.
.github/workflows/dependabot-worker.lock.yml	Uses DOCKER_HOST to choose the Docker socket path when starting the MCP gateway container.
.github/workflows/dependabot-campaign.lock.yml	Same Docker socket path handling update as the worker workflow.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 4/4 changed files
• Comments generated: 3

[pelikhan]

@copilot review all comments

[Copilot]

@copilot review all comments

All three review comments have been addressed in the latest commit:

• sanitize_content_core.cjs: Added &ip;/&InvisiblePlus; → U+2064 (INVISIBLE PLUS) to decodeHtmlEntities, closing the gap between U+2063 and the Step 3 strip range's upper bound \u2064. Two matching regression tests added.

• dependabot-campaign.lock.yml and dependabot-worker.lock.yml: Added if ! test -S "$DOCKER_SOCK_PATH"; then DOCKER_SOCK_PATH=/var/run/docker.sock; fi after the case block, so a non-existent or non-socket path derived from DOCKER_HOST falls back to the standard socket path before stat and the -v mount.

[pelikhan]

@copilot merge main and recompile

[Copilot]

@copilot merge main and recompile

Done. Merged origin/main (merge commit fd0510b) and ran make recompile — the lock files were already up-to-date, so no additional changes were generated.