Finding
During PR #3177 review, CodeQL flagged that esc() in src/channels/telegram.ts sanitizes &, <, > but NOT double quotes (").
Impact
In md2html(), sanitizeHref() output is interpolated into <a href="...">. If a href value contains ", it could break out of the HTML attribute. Combined with Telegram's HTML parse_mode, this could allow attribute injection in rendered messages.
CodeQL alert: https://github.com/OneStepAt4time/aegis/security/code-scanning/142
Fix
Add " to the escape list in esc():
function esc(text: string): string {
return text
.replace(/&/g, "&")
.replace(/</g, "<")
.replace(/>/g, ">")
.replace(/"/g, """); // Add this line
}
Severity
Medium. Requires crafted input with a URL containing double quotes, but sanitizeHref() already restricts protocols. Defense in depth.
Pre-existing — not introduced by any recent PR. Discovered during PR #3177 CodeQL review.
Finding
During PR #3177 review, CodeQL flagged that
esc()insrc/channels/telegram.tssanitizes&,<,>but NOT double quotes (").Impact
In
md2html(),sanitizeHref()output is interpolated into<a href="...">. If a href value contains", it could break out of the HTML attribute. Combined with Telegram's HTML parse_mode, this could allow attribute injection in rendered messages.CodeQL alert: https://github.com/OneStepAt4time/aegis/security/code-scanning/142
Fix
Add
"to the escape list inesc():Severity
Medium. Requires crafted input with a URL containing double quotes, but
sanitizeHref()already restricts protocols. Defense in depth.Pre-existing — not introduced by any recent PR. Discovered during PR #3177 CodeQL review.