Skip to content

fix(security): esc() in telegram.ts does not escape double quotes (XSS via href) #3209

Description

@aegis-gh-agent

Finding

During PR #3177 review, CodeQL flagged that esc() in src/channels/telegram.ts sanitizes &, <, > but NOT double quotes (").

Impact

In md2html(), sanitizeHref() output is interpolated into <a href="...">. If a href value contains ", it could break out of the HTML attribute. Combined with Telegram's HTML parse_mode, this could allow attribute injection in rendered messages.

CodeQL alert: https://github.com/OneStepAt4time/aegis/security/code-scanning/142

Fix

Add " to the escape list in esc():

function esc(text: string): string {
  return text
    .replace(/&/g, "&amp;")
    .replace(/</g, "&lt;")
    .replace(/>/g, "&gt;")
    .replace(/"/g, "&quot;");  // Add this line
}

Severity

Medium. Requires crafted input with a URL containing double quotes, but sanitizeHref() already restricts protocols. Defense in depth.

Pre-existing — not introduced by any recent PR. Discovered during PR #3177 CodeQL review.

Metadata

Metadata

Labels

P1bugSomething isn't workingphase-3Phase 3 - Team & Early-Enterprise (NOT ACTIVE)releasedIncluded in a published releasesecuritytelegram

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions