Skip to content

Incomplete string escaping or encoding#2744

Open
shaidar wants to merge 3 commits intomasterfrom
sar/string_encoding
Open

Incomplete string escaping or encoding#2744
shaidar wants to merge 3 commits intomasterfrom
sar/string_encoding

Conversation

@shaidar
Copy link
Copy Markdown
Contributor

@shaidar shaidar commented Oct 1, 2025

Description (What does it do?)

This fix addresses CodeQL's js/incomplete-sanitization check

@gemini-code-assist
Copy link
Copy Markdown
Contributor

gemini-code-assist bot commented Oct 1, 2025

Summary of Changes

Hello @shaidar, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request implements a crucial security enhancement by refining the string escaping mechanism within the hugoEscapeParamValue function. The change specifically addresses a CodeQL finding related to incomplete sanitization, ensuring that special characters like backslashes, newlines, and double quotes are escaped in the correct sequence. This prevents potential injection vulnerabilities and improves the robustness of parameter handling.

Highlights

  • Security Fix: Addressed an 'incomplete sanitization' vulnerability identified by CodeQL by improving string escaping logic.
  • String Escaping Order: Modified the hugoEscapeParamValue function to correctly escape backslashes first, then newlines, and finally double quotes, ensuring proper sanitization order.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

gemini-code-assist[bot]
gemini-code-assist bot reviewed Oct 1, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request addresses an incomplete string escaping issue, which is a potential security vulnerability. The change correctly adds escaping for backslashes in Hugo shortcode parameter values. I've added one suggestion to make the whitespace handling more robust, but overall the main fix is correct and improves the security of the application.

Comment thread static/js/lib/ckeditor/plugins/util.ts Outdated
return value.replace(/\n/g, " ").replace(/"/g, '\\"')
return value
.replace(/\\/g, '\\\\') // Escape backslashes FIRST
.replace(/\n/g, " ") // Then newlines
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist bot Oct 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The replacement of newline characters is a bit incomplete. It handles line feed (\n) but not other whitespace characters like carriage return (\r) or tab (\t).

  • On some systems, newlines are represented as \r\n. The current code would convert this to \r (a carriage return followed by a space), which is probably not what you want. It's better to replace both \r and \n.
  • Hugo shortcode parameters are space-delimited. If a parameter value contains a tab, it might be treated as a delimiter. The toHugo method, which uses this function, only quotes positional parameters if they contain a space, not a tab. Replacing tabs with spaces here would ensure those values get quoted correctly.

I suggest replacing tabs and both parts of common newline sequences with a space to handle these cases.

Suggested change
.replace(/\n/g, " ") // Then newlines
.replace(/[\r\n\t]/g, " ") // Then newlines and tabs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

Needs Review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@shaidar