htmlregexcommentscodeql

Bad HTML filtering regexp


do you know why CodeQL suggest this? what is wrong in the code?

values = vals.replace(/(^\s*<!--)|(-->\s*$)|\s+/g, '').split(',');

This regular expression only parses --> and not --!> as a HTML comment end tag. CodeQL

enter image description here


Solution

  • Not saying it should look for --!>, however if you need an explanation of your regular expression here it is.

    vals.replace(/(^\s*<!--)|(-->\s*$)|\s+/g, '').split(',');
    

    (^\s*<!--) looks for the lines starting with 0 or more whitespace characters and your <!--.

    (-->\s*$) looks for --> followed by 0 or more white space characters.

    So you need to add: (--!>\s*$) to look for the --!> characters.

    vals.replace(/(^\s*<!--)|(-->\s*$)|(--!>\s*$)|\s+/g, '').split(',');
    

    Though I don't think I've ever seen --!> so maybe double check you really do need it. https://www.w3schools.com/tags/tag_comment.asp

    This is a good starting point for learning regular expressions: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_expressions