Skip to content

Commit 3c158ae

Browse files
alexr00alexr00
committed
Escape file names in processed links
1 parent d7cc0af commit 3c158ae

File tree

1 file changed

+8
-2
lines changed

1 file changed

+8
-2
lines changed

src/common/utils.ts

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1009,6 +1009,10 @@ export function escapeRegExp(string: string) {
10091009
return string.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
10101010
}
10111011

1012+
function escapeHtmlAttr(value: string): string {
1013+
return value.replace(/&/g, '&amp;').replace(/"/g, '&quot;').replace(/'/g, '&#39;').replace(/</g, '&lt;').replace(/>/g, '&gt;');
1014+
}
1015+
10121016
export function truncate(value: string, maxLength: number, suffix = '...'): string {
10131017
if (value.length <= maxLength) {
10141018
return value;
@@ -1100,7 +1104,8 @@ export async function processPermalinks(
11001104
if (exists) {
11011105
// File exists - add data attributes for local handling and "(view on GitHub)" suffix
11021106
const endLineValue = endLine || startLine;
1103-
return `<a data-permalink-processed="true" ${attributes} data-local-file="${filePath}" data-start-line="${startLine}" data-end-line="${endLineValue}" data-link-type="blob">${linkText}</a> (<a data-permalink-processed="true" href="${originalUrl}">view on GitHub</a>)`;
1107+
const escapedFilePath = escapeHtmlAttr(filePath);
1108+
return `<a data-permalink-processed="true" ${attributes} data-local-file="${escapedFilePath}" data-start-line="${startLine}" data-end-line="${endLineValue}" data-link-type="blob">${linkText}</a> (<a data-permalink-processed="true" href="${originalUrl}">view on GitHub</a>)`;
11041109
}
11051110
} catch (error) {
11061111
// File doesn't exist or check failed - keep original link
@@ -1163,7 +1168,8 @@ export async function processDiffLinks(
11631168
// Hash found - add data attributes for diff handling and "(view on GitHub)" suffix
11641169
const startLineValue = startLine || '1';
11651170
const endLineValue = endLine || startLineValue;
1166-
return `<a data-permalink-processed="true" ${attributes} data-local-file="${fileName}" data-start-line="${startLineValue}" data-end-line="${endLineValue}" data-link-type="diff">${linkText}</a> (<a data-permalink-processed="true" href="${originalUrl}">view on GitHub</a>)`;
1171+
const escapedFileName = escapeHtmlAttr(fileName);
1172+
return `<a data-permalink-processed="true" ${attributes} data-local-file="${escapedFileName}" data-start-line="${startLineValue}" data-end-line="${endLineValue}" data-link-type="diff">${linkText}</a> (<a data-permalink-processed="true" href="${originalUrl}">view on GitHub</a>)`;
11671173
}
11681174
} catch (error) {
11691175
// Failed to process - keep original link

0 commit comments

Comments
 (0)