Skip to content

Potential fix for code scanning alert no. 3: DOM text reinterpreted as HTML#23

Merged
danielbentes merged 1 commit into
mainfrom
alert-autofix-3
May 14, 2026
Merged

Potential fix for code scanning alert no. 3: DOM text reinterpreted as HTML#23
danielbentes merged 1 commit into
mainfrom
alert-autofix-3

Conversation

@danielbentes

Copy link
Copy Markdown
Collaborator

Potential fix for https://github.com/synaptiai/uim-protocol/security/code-scanning/3

Use strict validation (allowlist) on event.target.value before using it to build a navigation URL.

Best fix in this file:

  • In initializeVersionSelector, validate version against a safe pattern (for example alphanumerics plus . _ - only).
  • If invalid, abort navigation.
  • If valid, URL-encode the segment before interpolation to ensure safe path construction.

This preserves functionality (navigating to /{version}/) while preventing malicious or malformed values from being used.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

…s HTML

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@danielbentes danielbentes marked this pull request as ready for review May 14, 2026 06:19
@danielbentes danielbentes merged commit 2403bad into main May 14, 2026
5 checks passed
@danielbentes danielbentes deleted the alert-autofix-3 branch May 14, 2026 06:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant