Skip to content

Potential fix for code scanning alert no. 4: DOM text reinterpreted as HTML#20

Merged
danielbentes merged 1 commit into
mainfrom
alert-autofix-4
May 14, 2026
Merged

Potential fix for code scanning alert no. 4: DOM text reinterpreted as HTML#20
danielbentes merged 1 commit into
mainfrom
alert-autofix-4

Conversation

@danielbentes

Copy link
Copy Markdown
Collaborator

Potential fix for https://github.com/synaptiai/uim-protocol/security/code-scanning/4

General fix: validate and constrain event.target.value before using it in any sensitive sink. Only allow expected version token characters (or, even better, an explicit allowlist), and reject/fallback on invalid input.

Best fix for this snippet: in uim-docs/site/assets/javascripts/extra.js, inside initializeVersionSelector() (around lines 84–87), sanitize event.target.value using a strict regex such as ^[a-zA-Z0-9._-]+$. If invalid, return early. If valid, use encodeURIComponent(version) when building the path, then assign to window.location.href. This keeps existing behavior for normal version strings while preventing injection/path abuse patterns.

No new imports or dependencies are needed.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

…s HTML

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@danielbentes danielbentes marked this pull request as ready for review May 14, 2026 06:15
@danielbentes danielbentes merged commit 69395ad into main May 14, 2026
5 checks passed
@danielbentes danielbentes deleted the alert-autofix-4 branch May 14, 2026 06:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant