Skip to content

Comments

Territory Layer Performance Update#269

Closed
1brucben wants to merge 2 commits intov0.2.3aifrom
territorylayerperf
Closed

Territory Layer Performance Update#269
1brucben wants to merge 2 commits intov0.2.3aifrom
territorylayerperf

Conversation

@1brucben
Copy link
Owner

@1brucben 1brucben commented Feb 23, 2026

No description provided.

@1brucben
new ai
6b101c0
@1brucben
Add performance benchmarks for TerritoryLayer using Canvas2D
1ba14b5 
- Introduced TerritoryLayer.perf.test.ts to benchmark the Canvas2D implementation of TerritoryLayer.
- Created a performance harness in territory-layer-bench-harness.ts to facilitate benchmarking of different Layer implementations.
- Implemented various scenarios to measure performance, including full redraws, large attacks, and sustained incremental updates.
- Added mock game state and GPU counters to track rendering performance metrics.
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 23, 2026
View reviewed changes
src/client/graphics/layers/TradeDebugOverlay.ts
const searchBox = `
<div style="margin-bottom: 8px;">
<input data-demand-filter type="text" placeholder="Filter by country name…"
value="${this.esc(this.demandFilter)}"

Check warning

Code scanning / CodeQL

Incomplete HTML attribute sanitization Medium

Cross-site scripting vulnerability as the output of
this final HTML sanitizer step
Loading
may contain double quotes when it reaches this attribute definition.

Copilot Autofix

AI about 17 hours ago

To fix the problem, the sanitizer used for creating HTML must escape all characters that are dangerous in the specific context—in this case, an HTML attribute delimited by double quotes. That means " must be escaped (typically as &quot;) in addition to &, <, and >. Since esc is a general-purpose HTML escaping function already used for inner text as well as attributes, the safest fix is to extend esc to also replace " with &quot;. This preserves existing behavior (escaped output remains valid HTML) while eliminating the XSS risk in attribute contexts.

Concretely, in src/client/graphics/layers/TradeDebugOverlay.ts, update the esc method at lines 404–405 to add another .replace(/"/g, "&quot;"). No other call sites need to change, because they will all benefit from the stronger escaping. No new imports or helper methods are required; we just modify the existing esc function. The change is localized and does not alter types or method signatures, so it will not affect surrounding logic.

Suggested changeset 1
src/client/graphics/layers/TradeDebugOverlay.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/client/graphics/layers/TradeDebugOverlay.ts b/src/client/graphics/layers/TradeDebugOverlay.ts
--- a/src/client/graphics/layers/TradeDebugOverlay.ts
+++ b/src/client/graphics/layers/TradeDebugOverlay.ts
@@ -402,6 +402,10 @@
   }
 
   private esc(s: string): string {
-    return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
+    return s
+      .replace(/&/g, "&amp;")
+      .replace(/</g, "&lt;")
+      .replace(/>/g, "&gt;")
+      .replace(/"/g, "&quot;");
   }
 }
EOF
@@ -402,6 +402,10 @@
}

private esc(s: string): string {
return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
return s
.replace(/&/g, "&amp;")
.replace(/</g, "&lt;")
.replace(/>/g, "&gt;")
.replace(/"/g, "&quot;");
}
}
Copilot is powered by AI and may make mistakes. Always verify output.
@1brucben 1brucben closed this Feb 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@1brucben