incomplete-sanitization in getUrl.js

[ruchira-net]

Bug report

When scanned with CodeQL scanner, it finds a incomplete sanitization issue in the getUrl.js file.

Actual Behavior

Below method doesn't escape backslash characters in the input.

Expected Behavior

Method should sanitize untrusted input for preventing injection attacks such as SQL injection or cross-site scripting (Even if the escaped string is not used in a security-critical context, incomplete escaping may still have undesirable effects, such as badly rendered or confusing output).

How Do We Reproduce?

1. Open the Wave analysis extension in VSCode.
2. Click Add Analysis Tools and select CodeQL.

4. Click OK

5. Run the CodeQL scanner
6. You should see that it complains about the method in the getUrl.js file as below

Please paste the results of npx webpack-cli info here, and mention other relevant information

System:
OS: Windows 11 10.0.26100
CPU: (12) x64 12th Gen Intel(R) Core(TM) i7-1255U
Memory: 13.15 GB / 31.69 GB
Binaries:
Node: 21.6.2 - C:\Program Files\nodejs\node.EXE
npm: 10.2.4 - C:\Program Files\nodejs\npm.CMD
Browsers:
Edge: Chromium (130.0.2849.46)
Internet Explorer: 11.0.26100.1882

[alexander-akait]

#1622 (comment), It looks like the utility has false positive result here