do you know why CodeQL suggest this? what is wrong in the code?
values = vals.replace(/(^\s*<!--)|(-->\s*$)|\s+/g, '').split(',');
This regular expression only parses --> and not --!> as a HTML comment end tag. CodeQL
Not saying it should look for --!>
, however if you need an explanation of your regular expression here it is.
vals.replace(/(^\s*<!--)|(-->\s*$)|\s+/g, '').split(',');
(^\s*<!--)
looks for the lines starting with 0 or more whitespace characters and your <!--
.
(-->\s*$)
looks for -->
followed by 0 or more white space characters.
So you need to add: (--!>\s*$)
to look for the --!>
characters.
vals.replace(/(^\s*<!--)|(-->\s*$)|(--!>\s*$)|\s+/g, '').split(',');
Though I don't think I've ever seen --!>
so maybe double check you really do need it. https://www.w3schools.com/tags/tag_comment.asp
This is a good starting point for learning regular expressions: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_expressions