Skip to content

fix(web): harden legal script sanitization#3855

Open
kilo-code-bot[bot] wants to merge 1 commit into
mainfrom
fix/codeql-430-legal-script-sanitization
Open

fix(web): harden legal script sanitization#3855
kilo-code-bot[bot] wants to merge 1 commit into
mainfrom
fix/codeql-430-legal-script-sanitization

Conversation

@kilo-code-bot

@kilo-code-bot kilo-code-bot Bot commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Fixes CodeQL alert 430 by repeatedly removing legal-page <script> elements until malformed nested tags can no longer reintroduce a script tag.
  • Adds a regression case for malformed nested script markup in imported legal content.

Verification

  • Confirmed a malformed nested script sample is reduced to inert legal-page HTML with the expected body content.
  • Targeted Jest coverage was not completed because this container has no Docker binary to start the required test Postgres service.

Visual Changes

N/A

Reviewer Notes

  • Scope is intentionally limited to the script sanitization path flagged by CodeQL alert 430.

@kilo-code-bot kilo-code-bot Bot requested a review from RSO June 9, 2026 09:36
@kilo-code-bot

kilo-code-bot Bot commented Jun 9, 2026
edited
Loading

Copy link
Copy Markdown
Contributor Author

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Executive Summary

The iterative script-tag removal loop correctly addresses the nested-tag bypass (CodeQL alert 430) and terminates safely — no bugs, security regressions, or performance concerns found in the two changed files.

Files Reviewed (2 files)
  • apps/web/src/app/legal-page-source.ts
  • apps/web/src/app/terms-app/terms-source.test.ts

Loop correctness: Each iteration of the do…while in removeScriptElements replaces matches with '', so the string strictly shrinks whenever a match is found. The loop terminates when no further matches are found (sanitizedHtml === previousHtml). No infinite loop is possible.

Attack vector coverage: The regression test correctly exercises the bypass: <scrip<script>alert('removed')</script>t>alert('xss')</script> — first pass strips the inner <script>alert('removed')</script>, reassembling <script>alert('xss')</script>, which the second pass removes entirely. Both <script and alert( are correctly absent from the result.

Scope: iframe and on* removal are not looped, but these are not subject to the same nested-tag reconstruction attack and are pre-existing — outside this PR's stated scope.

Fix these issues in Kilo Cloud

Reviewed by claude-4.6-sonnet-20260217 · 392,843 tokens

Review guidance: REVIEW.md from base branch main

github-advanced-security[bot]
github-advanced-security AI found potential problems Jun 9, 2026
View reviewed changes
Comment thread apps/web/src/app/legal-page-source.ts

do {
previousHtml = sanitizedHtml;
sanitizedHtml = sanitizedHtml.replaceAll(/<script\b[^>]*>[\s\S]*?<\/script>/gi, '');
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@RSO RSO Awaiting requested review from RSO

1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@github-advanced-security