chore(release-firefox): repeat sanitization #42737
Open
+7
−2
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Member
|
Given this script’s nature and use case, I’m not 100% sure there might be any user input risk here. It’s just a comment in a markdown file we control. So, I don’t want to overcomplicate code just to make the scanner happy based on an incorrect assumption. |
Contributor
Author
|
@pepelsbey I think we should apply best practices, even in this case. Even if there is zero risk for us, folks might look at this code and take inspiration from it. |
Member
|
This code is not exposed either to MDN users or to MDN contributors and most likely will cease to exist with our plans for Firefox release notes. And I doubt that applying patterns irrelevant for the use case (we don’t have user input) is best practice. It’s more of a cargo cult. But it’s not a hill I’m willing to die on 😉 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Potential fix for https://github.com/mdn/content/security/code-scanning/56
In general, to fix incomplete multi-character sanitization with regex replacements, you can either (a) use a dedicated sanitization library, or (b) apply the replacement repeatedly until no further changes occur, ensuring that patterns that reappear after replacement are also removed. Here, the goal is very narrow—removing all HTML comments from a markdown file—so the simplest robust fix is to repeatedly apply the existing comment-stripping regex until the string stabilizes.
Concretely, in
scripts/content/release-firefox.js, insideupdateReleaseNotes, in theif (newStatus === "stable")block, the line:should be replaced with a small loop that keeps applying this replacement until no more matches are found. This avoids any edge cases where removing one comment could create a new
<!--...-->sequence that would otherwise be left behind. We don't need new imports or external libraries; just local logic in the same function. No other behavior of the script is changed.Suggested fixes powered by Copilot Autofix. Review carefully before merging.