Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix code scanning alert no. 21: DOM text reinterpreted as HTML #3918

Merged
merged 1 commit into from
Sep 30, 2024
Merged

Fix code scanning alert no. 21: DOM text reinterpreted as HTML #3918

merged 1 commit into from
Sep 30, 2024

Conversation

alex-w
Copy link
Member

@alex-w alex-w commented Sep 28, 2024

Fixes https://github.com/Stellarium/stellarium/security/code-scanning/21

To fix the problem, we need to ensure that the selection variable is properly encoded before being used in the URL. This can be achieved by using a function that encodes the value to make it safe for inclusion in a URL. The best way to do this is to use the encodeURIComponent function, which encodes a URI component by replacing each instance of certain characters with one, two, or three escape sequences representing the UTF-8 encoding of the character.

  • Modify the line where the selection variable is concatenated into the URL string to use encodeURIComponent(selection).
  • This change should be made in the initControls function, specifically on line 57.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

@alex-w @github-advanced-security
Fix code scanning alert no. 21: DOM text reinterpreted as HTML
3e73e9b 
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@github-actions github-actions bot requested review from 10110111 and gzotti September 28, 2024 14:23
@alex-w alex-w marked this pull request as ready for review September 28, 2024 16:35
@alex-w alex-w added this to the 24.4 milestone Sep 28, 2024
@alex-w alex-w merged commit 3f65c7f into master Sep 30, 2024
31 checks passed
@alex-w alex-w deleted the autofix/alert-21-587dae6004 branch September 30, 2024 06:28
@alex-w alex-w added the state: published The fix has been published for testing in weekly binary package label Oct 7, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Oct 7, 2024

Hello @alex-w!

Please check the fresh version (development snapshot) of Stellarium:
https://github.com/Stellarium/stellarium-data/releases/tag/weekly-snapshot

@alex-w alex-w removed the state: published The fix has been published for testing in weekly binary package label Dec 22, 2024
@github-actions GitHub Actions
Copy link

Hello @alex-w!

Please check the latest stable version of Stellarium:
https://github.com/Stellarium/stellarium/releases/latest

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@10110111 10110111 Awaiting requested review from 10110111

@gzotti gzotti Awaiting requested review from gzotti

Assignees

@alex-w alex-w

Labels
None yet
Milestone
24.4
Development

Successfully merging this pull request may close these issues.
1 participant
@alex-w