Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| const searchBox = ` | ||
| <div style="margin-bottom: 8px;"> | ||
| <input data-demand-filter type="text" placeholder="Filter by country name…" | ||
| value="${this.esc(this.demandFilter)}" |
Check warning
Code scanning / CodeQL
Incomplete HTML attribute sanitization Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 14 hours ago
In general, when constructing HTML dynamically and placing untrusted data into HTML attributes, the data must be properly HTML-encoded for the attribute context, including escaping at least &, <, >, and the attribute’s delimiter character (" in this case). The current esc function escapes only &, <, and >, which is adequate for text nodes but insufficient for attributes enclosed in double quotes.
The best fix with minimal functional change is to strengthen the existing esc function so that it also escapes double quotes. All current call sites will continue to work as before, except that any double quotes in the input will now be rendered as ", which is the correct, safe representation in HTML attributes and text. No changes are needed where esc is used; only the sanitizer must be updated.
Concretely, in src/client/graphics/layers/TradeDebugOverlay.ts, modify the esc method at lines 404–406 to add a replacement for ". The method should replace & first, then <, >, and then ", returning a fully sanitized string suitable for use in the attribute contexts shown. No new imports or helper methods are required.
| @@ -402,6 +402,10 @@ | ||
| } | ||
|
|
||
| private esc(s: string): string { | ||
| return s.replace(/&/g, "&").replace(/</g, "<").replace(/>/g, ">"); | ||
| return s | ||
| .replace(/&/g, "&") | ||
| .replace(/</g, "<") | ||
| .replace(/>/g, ">") | ||
| .replace(/"/g, """); | ||
| } | ||
| } |
1 participant
This pull request introduces several new features and improvements related to AI calibration, player filtering, and peace request handling, along with some dependency and UI updates. The most significant changes are the addition of AI calibration support for headless matches, enhanced player filtering to include AI players, and new peace request/reply events in the client transport layer.
AI Calibration Feature
AICalibrationModaland associated UI logic to allow launching AI-vs-AI calibration matches from the main menu, including support for calibration data inLobbyConfigandJoinLobbyEvent. (src/client/Main.ts,src/client/ClientGameRunner.ts) [1] [2] [3] [4] [5] [6] [7]CalibrationWorker.tsfor running headless calibration matches in a web worker, enabling fast, background AI benchmarking. (src/client/CalibrationWorker.ts)ai-profiles.jsonresource file for specifying multiple AI behavior profiles used in calibration. (resources/ai-profiles.json)Player Filtering Improvements
PlayerType.AIinstead ofPlayerType.FakeHuman, affecting statistics and UI components. (src/client/ClientGameRunner.ts,src/client/StatisticsModal.ts) [1] [2] [3] [4] [5]Peace Request Handling
SendPeaceReplyIntentEvent) and integrated them into the client transport event bus for improved multiplayer negotiation flows. (src/client/Transport.ts) [1] [2]resources/lang/en.json)Dependency and UI Updates
@swc/coretopackage.jsondependencies for improved build performance. (package.json)package.json. (package.json)Miscellaneous
src/client/InputHandler.ts,src/client/Transport.ts) [1] [2] [3] [4]src/client/TechTooltips.ts)