Skip to content

fix(core/issues-notes): validate GitHub label color, use html template for heading#5207

Merged
marcoscaceres merged 9 commits intomainfrom
fix/batch-b-security
Apr 27, 2026
Merged

fix(core/issues-notes): validate GitHub label color, use html template for heading#5207
marcoscaceres merged 9 commits intomainfrom
fix/batch-b-security

Conversation

@marcoscaceres
Copy link
Copy Markdown
Contributor

@marcoscaceres marcoscaceres commented Apr 18, 2026
edited by sidvishnoi
Loading

Summary

  • CSS injection hardening: bgColor from GitHub labels API is now validated against /^[0-9a-f]{6}$/i before being interpolated into a style attribute. Invalid values fall back to #f6f8fa (GitHub's default gray). This prevents a malformed or adversarially crafted label color from injecting arbitrary CSS properties.
  • DOM safety: Replace insertAdjacentHTML("afterbegin", `<h1>...\`) in makeIssueSectionSummary with prepend(html\`<h1>...\`) — the html tagged template literal is already used throughout the file and creates DOM nodes safely rather than parsing HTML strings.

Test plan

  • pnpm start --browser ChromeHeadless --grep="Core - Issues and Notes"
  • pnpm start --browser FirefoxHeadless --grep="Core - Issues and Notes"

@marcoscaceres
fix(issues-notes): validate GitHub label color and replace insertAdja…
bde80f7 
…centHTML

Validate bgColor against /^[0-9a-f]{6}$/i before use in style attribute;
invalid/empty values fall back to #f6f8fa (GitHub gray) to prevent CSS
injection. Replace insertAdjacentHTML with html tagged template + prepend
for DOM-safe heading insertion. Add tests for both fixes.
@marcoscaceres marcoscaceres marked this pull request as ready for review April 18, 2026 09:05
@marcoscaceres marcoscaceres requested a review from Copilot April 18, 2026 09:06
Copilot AI reviewed Apr 18, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Hardens the Issues/Notes GitHub label rendering against CSS injection and shifts issue-summary heading insertion to use the existing DOM-safe html templating helper.

Changes:

  • Validate GitHub label color values against a 6-digit hex regex and fall back to #f6f8fa when invalid.
  • Replace insertAdjacentHTML() usage for the issue-summary heading with prepend(html\...`)`.
  • Add/extend tests covering label color sanitization and heading insertion behavior.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
tests/spec/core/issues-notes-spec.js Adds assertions/tests for sanitized label colors and for issue-summary heading insertion.
src/core/issues-notes.js Sanitizes GitHub label background colors before interpolating into a style attribute; uses html template for inserting the issue-summary heading.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread tests/spec/core/issues-notes-spec.js Outdated
@marcoscaceres
fix(issues-notes): correct test to match actual heading structure
ae157a0 
The issue-summary heading is injected as h1 by issues-notes.js but
core/structure.js renames it to h2 based on section nesting depth, and
core/id-headers.js then wraps it in div.header-wrapper. The test was
asserting tagName "H1" directly, which would always fail after
structure processing. Update to query the final rendered structure
consistent with surrounding localization tests.
@marcoscaceres marcoscaceres requested a review from Copilot April 18, 2026 12:34
Copilot AI reviewed Apr 18, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread tests/spec/core/issues-notes-spec.js Outdated
Comment thread tests/spec/core/issues-notes-spec.js Outdated
Comment thread src/core/issues-notes.js Outdated
Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 18, 2026

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • accounts.google.com
    • Triggering command: /proc/self/exe /proc/self/exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-dev-shm-usage --use-angle=swiftshader-webgl --crashpad-handler-pid=4352 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/karma-7918071 --change-stack-guard-on-fork=enable --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,6709506200668610664,7510655039808549682,262144 --disable-features=PaintHolding --variations-seed-version --pseudonymization-salt-handle=7,i,9319011679547627003,12086070537285988742,4 --trace-process-track-uuid=3190708989122997041 (dns block)
    • Triggering command: /opt/google/chrome/chrome /usr/bin/google-chrome --user-data-dir=/tmp/karma-7918071 --enable-automation --no-default-browser-check --no-first-run --disable-default-apps --disable-popup-blocking --disable-translate --disable-REDACTED-timer-throttling --disable-renderer-REDACTEDing --disable-device-discovery-notifications http://localhost:9876/?id=7918071 --headless --disable-gpu --disable-dev-shm-usage --remote-debugging-port=9222 (dns block)
    • Triggering command: /proc/self/exe /proc/self/exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-dev-shm-usage --use-angle=swiftshader-webgl --crashpad-handler-pid=4907 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/karma-75020182 --change-stack-guard-on-fork=enable --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,17984020026236860008,5044721749257023706,262144 --disable-features=PaintHolding --variations-seed-version --pseudonymization-salt-handle=7,i,8539237371431644648,15467528561372750740,4 --trace-process-track-uuid=3190708989122997041 (dns block)
  • android.clients.google.com
    • Triggering command: /proc/self/exe /proc/self/exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-dev-shm-usage --use-angle=swiftshader-webgl --crashpad-handler-pid=4352 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/karma-7918071 --change-stack-guard-on-fork=enable --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,6709506200668610664,7510655039808549682,262144 --disable-features=PaintHolding --variations-seed-version --pseudonymization-salt-handle=7,i,9319011679547627003,12086070537285988742,4 --trace-process-track-uuid=3190708989122997041 (dns block)
    • Triggering command: /opt/google/chrome/chrome /usr/bin/google-chrome --user-data-dir=/tmp/karma-7918071 --enable-automation --no-default-browser-check --no-first-run --disable-default-apps --disable-popup-blocking --disable-translate --disable-REDACTED-timer-throttling --disable-renderer-REDACTEDing --disable-device-discovery-notifications http://localhost:9876/?id=7918071 --headless --disable-gpu --disable-dev-shm-usage --remote-debugging-port=9222 (dns block)
    • Triggering command: /proc/self/exe /proc/self/exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-dev-shm-usage --use-angle=swiftshader-webgl --crashpad-handler-pid=4907 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/karma-75020182 --change-stack-guard-on-fork=enable --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,17984020026236860008,5044721749257023706,262144 --disable-features=PaintHolding --variations-seed-version --pseudonymization-salt-handle=7,i,8539237371431644648,15467528561372750740,4 --trace-process-track-uuid=3190708989122997041 (dns block)
  • aomedia.org
    • Triggering command: /proc/self/exe /proc/self/exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-dev-shm-usage --use-angle=swiftshader-webgl --crashpad-handler-pid=4907 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/karma-75020182 --change-stack-guard-on-fork=enable --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,17984020026236860008,5044721749257023706,262144 --disable-features=PaintHolding --variations-seed-version --pseudonymization-salt-handle=7,i,8539237371431644648,15467528561372750740,4 --trace-process-track-uuid=3190708989122997041 (dns block)
    • Triggering command: /opt/google/chrome/chrome /usr/bin/google-chrome --user-data-dir=/tmp/karma-75020182 --enable-automation --no-default-browser-check --no-first-run --disable-default-apps --disable-popup-blocking --disable-translate --disable-REDACTED-timer-throttling --disable-renderer-REDACTEDing --disable-device-discovery-notifications http://localhost:9876/?id=75020182 --headless --disable-gpu --disable-dev-shm-usage --remote-debugging-port=9222 (dns block)
  • api.specref.org
    • Triggering command: /proc/self/exe /proc/self/exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-dev-shm-usage --use-angle=swiftshader-webgl --crashpad-handler-pid=4907 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/karma-75020182 --change-stack-guard-on-fork=enable --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,17984020026236860008,5044721749257023706,262144 --disable-features=PaintHolding --variations-seed-version --pseudonymization-salt-handle=7,i,8539237371431644648,15467528561372750740,4 --trace-process-track-uuid=3190708989122997041 (dns block)
    • Triggering command: /opt/google/chrome/chrome /usr/bin/google-chrome --user-data-dir=/tmp/karma-75020182 --enable-automation --no-default-browser-check --no-first-run --disable-default-apps --disable-popup-blocking --disable-translate --disable-REDACTED-timer-throttling --disable-renderer-REDACTEDing --disable-device-discovery-notifications http://localhost:9876/?id=75020182 --headless --disable-gpu --disable-dev-shm-usage --remote-debugging-port=9222 (dns block)
    • Triggering command: /proc/self/exe /proc/self/exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-dev-shm-usage --use-angle=swiftshader-webgl --crashpad-handler-pid=5725 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/karma-65205576 --change-stack-guard-on-fork=enable --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,5745166766625017041,17269010382753385028,262144 --disable-features=PaintHolding --variations-seed-version --pseudonymization-salt-handle=7,i,4763666266910434188,16779664698065040668,4 --trace-process-track-uuid=3190708989122997041 (dns block)
  • cdn.jsdelivr.net
    • Triggering command: /proc/self/exe /proc/self/exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-dev-shm-usage --use-angle=swiftshader-webgl --crashpad-handler-pid=4907 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/karma-75020182 --change-stack-guard-on-fork=enable --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,17984020026236860008,5044721749257023706,262144 --disable-features=PaintHolding --variations-seed-version --pseudonymization-salt-handle=7,i,8539237371431644648,15467528561372750740,4 --trace-process-track-uuid=3190708989122997041 (dns block)
    • Triggering command: /opt/google/chrome/chrome /usr/bin/google-chrome --user-data-dir=/tmp/karma-75020182 --enable-automation --no-default-browser-check --no-first-run --disable-default-apps --disable-popup-blocking --disable-translate --disable-REDACTED-timer-throttling --disable-renderer-REDACTEDing --disable-device-discovery-notifications http://localhost:9876/?id=75020182 --headless --disable-gpu --disable-dev-shm-usage --remote-debugging-port=9222 (dns block)
  • clients2.google.com
    • Triggering command: /proc/self/exe /proc/self/exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-dev-shm-usage --use-angle=swiftshader-webgl --crashpad-handler-pid=4352 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/karma-7918071 --change-stack-guard-on-fork=enable --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,6709506200668610664,7510655039808549682,262144 --disable-features=PaintHolding --variations-seed-version --pseudonymization-salt-handle=7,i,9319011679547627003,12086070537285988742,4 --trace-process-track-uuid=3190708989122997041 (dns block)
    • Triggering command: /opt/google/chrome/chrome /usr/bin/google-chrome --user-data-dir=/tmp/karma-7918071 --enable-automation --no-default-browser-check --no-first-run --disable-default-apps --disable-popup-blocking --disable-translate --disable-REDACTED-timer-throttling --disable-renderer-REDACTEDing --disable-device-discovery-notifications http://localhost:9876/?id=7918071 --headless --disable-gpu --disable-dev-shm-usage --remote-debugging-port=9222 (dns block)
    • Triggering command: /proc/self/exe /proc/self/exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-dev-shm-usage --use-angle=swiftshader-webgl --crashpad-handler-pid=4907 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/karma-75020182 --change-stack-guard-on-fork=enable --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,17984020026236860008,5044721749257023706,262144 --disable-features=PaintHolding --variations-seed-version --pseudonymization-salt-handle=7,i,8539237371431644648,15467528561372750740,4 --trace-process-track-uuid=3190708989122997041 (dns block)
  • clientservices.googleapis.com
    • Triggering command: /proc/self/exe /proc/self/exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-dev-shm-usage --use-angle=swiftshader-webgl --crashpad-handler-pid=4352 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/karma-7918071 --change-stack-guard-on-fork=enable --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,6709506200668610664,7510655039808549682,262144 --disable-features=PaintHolding --variations-seed-version --pseudonymization-salt-handle=7,i,9319011679547627003,12086070537285988742,4 --trace-process-track-uuid=3190708989122997041 (dns block)
    • Triggering command: /opt/google/chrome/chrome /usr/bin/google-chrome --user-data-dir=/tmp/karma-7918071 --enable-automation --no-default-browser-check --no-first-run --disable-default-apps --disable-popup-blocking --disable-translate --disable-REDACTED-timer-throttling --disable-renderer-REDACTEDing --disable-device-discovery-notifications http://localhost:9876/?id=7918071 --headless --disable-gpu --disable-dev-shm-usage --remote-debugging-port=9222 (dns block)
    • Triggering command: /proc/self/exe /proc/self/exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-dev-shm-usage --use-angle=swiftshader-webgl --crashpad-handler-pid=4907 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/karma-75020182 --change-stack-guard-on-fork=enable --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,17984020026236860008,5044721749257023706,262144 --disable-features=PaintHolding --variations-seed-version --pseudonymization-salt-handle=7,i,8539237371431644648,15467528561372750740,4 --trace-process-track-uuid=3190708989122997041 (dns block)
  • optimizationguide-pa.googleapis.com
    • Triggering command: /proc/self/exe /proc/self/exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-dev-shm-usage --use-angle=swiftshader-webgl --crashpad-handler-pid=4352 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/karma-7918071 --change-stack-guard-on-fork=enable --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,6709506200668610664,7510655039808549682,262144 --disable-features=PaintHolding --variations-seed-version --pseudonymization-salt-handle=7,i,9319011679547627003,12086070537285988742,4 --trace-process-track-uuid=3190708989122997041 (dns block)
    • Triggering command: /opt/google/chrome/chrome /usr/bin/google-chrome --user-data-dir=/tmp/karma-7918071 --enable-automation --no-default-browser-check --no-first-run --disable-default-apps --disable-popup-blocking --disable-translate --disable-REDACTED-timer-throttling --disable-renderer-REDACTEDing --disable-device-discovery-notifications http://localhost:9876/?id=7918071 --headless --disable-gpu --disable-dev-shm-usage --remote-debugging-port=9222 (dns block)
    • Triggering command: /proc/self/exe /proc/self/exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-dev-shm-usage --use-angle=swiftshader-webgl --crashpad-handler-pid=4907 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/karma-75020182 --change-stack-guard-on-fork=enable --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,17984020026236860008,5044721749257023706,262144 --disable-features=PaintHolding --variations-seed-version --pseudonymization-salt-handle=7,i,8539237371431644648,15467528561372750740,4 --trace-process-track-uuid=3190708989122997041 (dns block)
  • redirector.gvt1.com
    • Triggering command: /proc/self/exe /proc/self/exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-dev-shm-usage --use-angle=swiftshader-webgl --crashpad-handler-pid=4352 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/karma-7918071 --change-stack-guard-on-fork=enable --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,6709506200668610664,7510655039808549682,262144 --disable-features=PaintHolding --variations-seed-version --pseudonymization-salt-handle=7,i,9319011679547627003,12086070537285988742,4 --trace-process-track-uuid=3190708989122997041 (dns block)
    • Triggering command: /opt/google/chrome/chrome /usr/bin/google-chrome --user-data-dir=/tmp/karma-7918071 --enable-automation --no-default-browser-check --no-first-run --disable-default-apps --disable-popup-blocking --disable-translate --disable-REDACTED-timer-throttling --disable-renderer-REDACTEDing --disable-device-discovery-notifications http://localhost:9876/?id=7918071 --headless --disable-gpu --disable-dev-shm-usage --remote-debugging-port=9222 (dns block)
    • Triggering command: /proc/self/exe /proc/self/exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-dev-shm-usage --use-angle=swiftshader-webgl --crashpad-handler-pid=4907 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/karma-75020182 --change-stack-guard-on-fork=enable --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,17984020026236860008,5044721749257023706,262144 --disable-features=PaintHolding --variations-seed-version --pseudonymization-salt-handle=7,i,8539237371431644648,15467528561372750740,4 --trace-process-track-uuid=3190708989122997041 (dns block)
  • respec.org
    • Triggering command: /proc/self/exe /proc/self/exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-dev-shm-usage --use-angle=swiftshader-webgl --crashpad-handler-pid=4907 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/karma-75020182 --change-stack-guard-on-fork=enable --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,17984020026236860008,5044721749257023706,262144 --disable-features=PaintHolding --variations-seed-version --pseudonymization-salt-handle=7,i,8539237371431644648,15467528561372750740,4 --trace-process-track-uuid=3190708989122997041 (dns block)
    • Triggering command: /opt/google/chrome/chrome /usr/bin/google-chrome --user-data-dir=/tmp/karma-75020182 --enable-automation --no-default-browser-check --no-first-run --disable-default-apps --disable-popup-blocking --disable-translate --disable-REDACTED-timer-throttling --disable-renderer-REDACTEDing --disable-device-discovery-notifications http://localhost:9876/?id=75020182 --headless --disable-gpu --disable-dev-shm-usage --remote-debugging-port=9222 (dns block)
    • Triggering command: /proc/self/exe /proc/self/exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-dev-shm-usage --use-angle=swiftshader-webgl --crashpad-handler-pid=5725 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/karma-65205576 --change-stack-guard-on-fork=enable --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,5745166766625017041,17269010382753385028,262144 --disable-features=PaintHolding --variations-seed-version --pseudonymization-salt-handle=7,i,4763666266910434188,16779664698065040668,4 --trace-process-track-uuid=3190708989122997041 (dns block)
  • safebrowsing.googleapis.com
    • Triggering command: /proc/self/exe /proc/self/exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-dev-shm-usage --use-angle=swiftshader-webgl --crashpad-handler-pid=4352 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/karma-7918071 --change-stack-guard-on-fork=enable --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,6709506200668610664,7510655039808549682,262144 --disable-features=PaintHolding --variations-seed-version --pseudonymization-salt-handle=7,i,9319011679547627003,12086070537285988742,4 --trace-process-track-uuid=3190708989122997041 (dns block)
    • Triggering command: /opt/google/chrome/chrome /usr/bin/google-chrome --user-data-dir=/tmp/karma-7918071 --enable-automation --no-default-browser-check --no-first-run --disable-default-apps --disable-popup-blocking --disable-translate --disable-REDACTED-timer-throttling --disable-renderer-REDACTEDing --disable-device-discovery-notifications http://localhost:9876/?id=7918071 --headless --disable-gpu --disable-dev-shm-usage --remote-debugging-port=9222 (dns block)
  • safebrowsingohttpgateway.googleapis.com
    • Triggering command: /proc/self/exe /proc/self/exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-dev-shm-usage --use-angle=swiftshader-webgl --crashpad-handler-pid=4352 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/karma-7918071 --change-stack-guard-on-fork=enable --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,6709506200668610664,7510655039808549682,262144 --disable-features=PaintHolding --variations-seed-version --pseudonymization-salt-handle=7,i,9319011679547627003,12086070537285988742,4 --trace-process-track-uuid=3190708989122997041 (dns block)
    • Triggering command: /opt/google/chrome/chrome /usr/bin/google-chrome --user-data-dir=/tmp/karma-7918071 --enable-automation --no-default-browser-check --no-first-run --disable-default-apps --disable-popup-blocking --disable-translate --disable-REDACTED-timer-throttling --disable-renderer-REDACTEDing --disable-device-discovery-notifications http://localhost:9876/?id=7918071 --headless --disable-gpu --disable-dev-shm-usage --remote-debugging-port=9222 (dns block)
    • Triggering command: /proc/self/exe /proc/self/exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-dev-shm-usage --use-angle=swiftshader-webgl --crashpad-handler-pid=4907 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/karma-75020182 --change-stack-guard-on-fork=enable --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,17984020026236860008,5044721749257023706,262144 --disable-features=PaintHolding --variations-seed-version --pseudonymization-salt-handle=7,i,8539237371431644648,15467528561372750740,4 --trace-process-track-uuid=3190708989122997041 (dns block)
  • tools.geostandaarden.nl
    • Triggering command: /proc/self/exe /proc/self/exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-dev-shm-usage --use-angle=swiftshader-webgl --crashpad-handler-pid=4907 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/karma-75020182 --change-stack-guard-on-fork=enable --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,17984020026236860008,5044721749257023706,262144 --disable-features=PaintHolding --variations-seed-version --pseudonymization-salt-handle=7,i,8539237371431644648,15467528561372750740,4 --trace-process-track-uuid=3190708989122997041 (dns block)
    • Triggering command: /opt/google/chrome/chrome /usr/bin/google-chrome --user-data-dir=/tmp/karma-75020182 --enable-automation --no-default-browser-check --no-first-run --disable-default-apps --disable-popup-blocking --disable-translate --disable-REDACTED-timer-throttling --disable-renderer-REDACTEDing --disable-device-discovery-notifications http://localhost:9876/?id=75020182 --headless --disable-gpu --disable-dev-shm-usage --remote-debugging-port=9222 (dns block)
  • update.googleapis.com
    • Triggering command: /proc/self/exe /proc/self/exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-dev-shm-usage --use-angle=swiftshader-webgl --crashpad-handler-pid=4352 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/karma-7918071 --change-stack-guard-on-fork=enable --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,6709506200668610664,7510655039808549682,262144 --disable-features=PaintHolding --variations-seed-version --pseudonymization-salt-handle=7,i,9319011679547627003,12086070537285988742,4 --trace-process-track-uuid=3190708989122997041 (dns block)
    • Triggering command: /opt/google/chrome/chrome /usr/bin/google-chrome --user-data-dir=/tmp/karma-7918071 --enable-automation --no-default-browser-check --no-first-run --disable-default-apps --disable-popup-blocking --disable-translate --disable-REDACTED-timer-throttling --disable-renderer-REDACTEDing --disable-device-discovery-notifications http://localhost:9876/?id=7918071 --headless --disable-gpu --disable-dev-shm-usage --remote-debugging-port=9222 (dns block)
  • w3c.github.io
    • Triggering command: /proc/self/exe /proc/self/exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-dev-shm-usage --use-angle=swiftshader-webgl --crashpad-handler-pid=4907 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/karma-75020182 --change-stack-guard-on-fork=enable --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,17984020026236860008,5044721749257023706,262144 --disable-features=PaintHolding --variations-seed-version --pseudonymization-salt-handle=7,i,8539237371431644648,15467528561372750740,4 --trace-process-track-uuid=3190708989122997041 (dns block)
    • Triggering command: /opt/google/chrome/chrome /usr/bin/google-chrome --user-data-dir=/tmp/karma-75020182 --enable-automation --no-default-browser-check --no-first-run --disable-default-apps --disable-popup-blocking --disable-translate --disable-REDACTED-timer-throttling --disable-renderer-REDACTEDing --disable-device-discovery-notifications http://localhost:9876/?id=75020182 --headless --disable-gpu --disable-dev-shm-usage --remote-debugging-port=9222 (dns block)
  • www.google.com
    • Triggering command: /proc/self/exe /proc/self/exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-dev-shm-usage --use-angle=swiftshader-webgl --crashpad-handler-pid=4352 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/karma-7918071 --change-stack-guard-on-fork=enable --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,6709506200668610664,7510655039808549682,262144 --disable-features=PaintHolding --variations-seed-version --pseudonymization-salt-handle=7,i,9319011679547627003,12086070537285988742,4 --trace-process-track-uuid=3190708989122997041 (dns block)
    • Triggering command: /opt/google/chrome/chrome /usr/bin/google-chrome --user-data-dir=/tmp/karma-7918071 --enable-automation --no-default-browser-check --no-first-run --disable-default-apps --disable-popup-blocking --disable-translate --disable-REDACTED-timer-throttling --disable-renderer-REDACTEDing --disable-device-discovery-notifications http://localhost:9876/?id=7918071 --headless --disable-gpu --disable-dev-shm-usage --remote-debugging-port=9222 (dns block)
    • Triggering command: /proc/self/exe /proc/self/exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-dev-shm-usage --use-angle=swiftshader-webgl --crashpad-handler-pid=4907 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/karma-75020182 --change-stack-guard-on-fork=enable --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,17984020026236860008,5044721749257023706,262144 --disable-features=PaintHolding --variations-seed-version --pseudonymization-salt-handle=7,i,8539237371431644648,15467528561372750740,4 --trace-process-track-uuid=3190708989122997041 (dns block)
  • www.w3.org
    • Triggering command: /proc/self/exe /proc/self/exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-dev-shm-usage --use-angle=swiftshader-webgl --crashpad-handler-pid=4907 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/karma-75020182 --change-stack-guard-on-fork=enable --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,17984020026236860008,5044721749257023706,262144 --disable-features=PaintHolding --variations-seed-version --pseudonymization-salt-handle=7,i,8539237371431644648,15467528561372750740,4 --trace-process-track-uuid=3190708989122997041 (dns block)
    • Triggering command: /opt/google/chrome/chrome /usr/bin/google-chrome --user-data-dir=/tmp/karma-75020182 --enable-automation --no-default-browser-check --no-first-run --disable-default-apps --disable-popup-blocking --disable-translate --disable-REDACTED-timer-throttling --disable-renderer-REDACTEDing --disable-device-discovery-notifications http://localhost:9876/?id=75020182 --headless --disable-gpu --disable-dev-shm-usage --remote-debugging-port=9222 (dns block)
    • Triggering command: /proc/self/exe /proc/self/exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-dev-shm-usage --use-angle=swiftshader-webgl --crashpad-handler-pid=5909 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/karma-46948577 --change-stack-guard-on-fork=enable --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,248325903707256499,10993934047736202049,262144 --disable-features=PaintHolding --variations-seed-version --pseudonymization-salt-handle=7,i,17200304247715039647,13483400800454239746,4 --trace-process-track-uuid=3190708989122997041 (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

@marcoscaceres marcoscaceres marked this pull request as draft April 19, 2026 12:44
@marcoscaceres
fix(issues-notes): add size assertion before label destructuring
28c9b6e 
Add explicit size check on getElementsByClassName result before
positional destructuring to catch fixture changes early.
@marcoscaceres marcoscaceres marked this pull request as ready for review April 25, 2026 06:55
@sidvishnoi sidvishnoi changed the title fix(issues-notes): validate GitHub label color, use html template for heading fix(core/issues-notes): validate GitHub label color, use html template for heading Apr 25, 2026
sidvishnoi
sidvishnoi reviewed Apr 25, 2026
View reviewed changes
Comment thread tests/spec/core/issues-notes-spec.js Outdated
Comment thread tests/spec/core/issues-notes-spec.js Outdated
@marcoscaceres
test(core/issues-notes): remove duplicate and misleading tests
9d27f04 
Remove the standalone "sanitizes GitHub label colors" test — its
assertions duplicate those already in "shows labels for github issues".

Remove the "generates issue summary heading as a DOM element" test —
as Sid correctly noted, instanceof HTMLHeadingElement passes regardless
of whether the element was created via insertAdjacentHTML or DOM APIs,
so the test could not distinguish between them.

Remove the weak not.toContain("javascript") assertion on blankLabel
(empty color can never produce "javascript" in the style attribute).
@marcoscaceres marcoscaceres enabled auto-merge (squash) April 27, 2026 14:16
@marcoscaceres marcoscaceres merged commit b621fc1 into main Apr 27, 2026
9 checks passed
@marcoscaceres marcoscaceres deleted the fix/batch-b-security branch April 27, 2026 14:19
marcoscaceres added a commit that referenced this pull request Apr 28, 2026
@marcoscaceres
fix(core/issues-notes): validate GitHub label color, use html templat…
750568d 
…e for heading (#5207)

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
marcoscaceres added a commit that referenced this pull request Apr 28, 2026
@marcoscaceres
fix(core/issues-notes): validate GitHub label color, use html templat…
72fc870 
…e for heading (#5207)

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@sidvishnoi sidvishnoi sidvishnoi approved these changes

+1 more reviewer

Copilot code review Copilot Copilot left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@marcoscaceres @sidvishnoi