BetterSEQTA/BetterSEQTA-Plus
1
0
Fork 0
mirror of https://github.com/BetterSEQTA/BetterSEQTA-Plus.git synced 2026-06-17 17:07:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: escape backslashes in PDF script injection strings

Browse Source 
Resolve CodeQL incomplete string escaping alerts by centralizing escJsSingleQuoted for all values embedded in injected script content.

Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
Aden Linday
2026-06-17 11:06:17 +09:30
parent 8a5424c5a4
commit 62ed702e64
1 changed files with 8 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/plugins/built-in/assessmentsAverage/utils.ts
+8 -9
View File
@@ -440,6 +440,10 @@ function trustedPageOrigin(): string {
return window.location.origin; return window.location.origin;
} }
function escJsSingleQuoted(value: string): string {
return value.replace(/\\/g, "\\\\").replace(/'/g, "\\'");
}
async function fetchPDFAsArrayBuffer(url: string): Promise<ArrayBuffer> { async function fetchPDFAsArrayBuffer(url: string): Promise<ArrayBuffer> {
const isBlobUrl = url.startsWith("blob:"); const isBlobUrl = url.startsWith("blob:");
const pageOrigin = trustedPageOrigin(); const pageOrigin = trustedPageOrigin();
@@ -448,8 +452,8 @@ async function fetchPDFAsArrayBuffer(url: string): Promise<ArrayBuffer> {
return new Promise((resolve, reject) => { return new Promise((resolve, reject) => {
const script = document.createElement("script"); const script = document.createElement("script");
const requestId = `pdf-fetch-${Date.now()}-${Math.random()}`; const requestId = `pdf-fetch-${Date.now()}-${Math.random()}`;
const escapedUrl = url.replace(/'/g, "\\'"); const escapedUrl = escJsSingleQuoted(url);
const escapedOrigin = pageOrigin.replace(/'/g, "\\'"); const escapedOrigin = escJsSingleQuoted(pageOrigin);
script.textContent = ` script.textContent = `
(function() { (function() {
@@ -540,22 +544,17 @@ export async function extractPDFText(url: string): Promise<string> {
if (isFirefox) { if (isFirefox) {
const { lib: pdfLibUrl, worker: pdfWorkerUrl } = const { lib: pdfLibUrl, worker: pdfWorkerUrl } =
getPdfjsPageContextUrls(); getPdfjsPageContextUrls();
const escJsSingleQuoted = (s: string) =>
s.replace(/\\/g, "\\\\").replace(/'/g, "\\'");
const pdfLibInj = escJsSingleQuoted(pdfLibUrl); const pdfLibInj = escJsSingleQuoted(pdfLibUrl);
const pdfWorkerInj = escJsSingleQuoted(pdfWorkerUrl); const pdfWorkerInj = escJsSingleQuoted(pdfWorkerUrl);
const pageOrigin = trustedPageOrigin(); const pageOrigin = trustedPageOrigin();
const escapedOrigin = pageOrigin.replace(/'/g, "\\'"); const escapedOrigin = escJsSingleQuoted(pageOrigin);
return new Promise((resolve, reject) => { return new Promise((resolve, reject) => {
const script = document.createElement("script"); const script = document.createElement("script");
const requestId = `pdf-extract-${Date.now()}-${Math.random()}`; const requestId = `pdf-extract-${Date.now()}-${Math.random()}`;
const escapedUrl = url const escapedUrl = escJsSingleQuoted(url);
.replace(/\\/g, "\\\\")
.replace(/'/g, "\\'")
.replace(/"/g, '\\"');
script.textContent = ` script.textContent = `
(function() { (function() {