From 99499a8ca1a464be7629ff68459d611dee27cc60 Mon Sep 17 00:00:00 2001
From: Antoine Stalin <19432224+stalina@users.noreply.github.com>
Date: Sun, 4 Jan 2026 22:57:58 +0100
Subject: [PATCH 1/3] Potential fix for code scanning alert no. 1: Workflow
 does not contain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 .github/workflows/ci.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 9712a83..8160e3e 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,5 +1,8 @@
 name: CI
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: [main, develop]

From 824301d7e1d60940f1e61327f829ee627a220e53 Mon Sep 17 00:00:00 2001
From: Antoine Stalin <19432224+stalina@users.noreply.github.com>
Date: Sun, 4 Jan 2026 23:01:27 +0100
Subject: [PATCH 2/3] Potential fix for code scanning alert no. 10: Incomplete
 multi-character sanitization

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 src/shared/components/RichTextDisplay.vue | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/shared/components/RichTextDisplay.vue b/src/shared/components/RichTextDisplay.vue
index 2df88af..c93f860 100644
--- a/src/shared/components/RichTextDisplay.vue
+++ b/src/shared/components/RichTextDisplay.vue
@@ -21,8 +21,11 @@ const sanitizedContent = computed(() => {
 });
 
 const isEmpty = computed(() => {
-  // Vérifier si le contenu est vide après suppression des balises
-  const textOnly = sanitizedContent.value.replace(/<[^>]*>/g, '').trim();
+  // Vérifier si le contenu est vide après suppression des balises,
+  // en extrayant le texte depuis un conteneur DOM temporaire plutôt que via une regex
+  const container = document.createElement('div');
+  container.innerHTML = sanitizedContent.value;
+  const textOnly = (container.textContent || '').trim();
   return !textOnly;
 });
 </script>

From 80e2512c7f14f6271a47c9f5602fb34b85e35064 Mon Sep 17 00:00:00 2001
From: Antoine Stalin <19432224+stalina@users.noreply.github.com>
Date: Sun, 4 Jan 2026 23:01:56 +0100
Subject: [PATCH 3/3] Potential fix for code scanning alert no. 7: Incomplete
 multi-character sanitization

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 .../properties/views/PropertyDetailView.vue   | 19 ++++---------------
 1 file changed, 4 insertions(+), 15 deletions(-)

diff --git a/src/features/properties/views/PropertyDetailView.vue b/src/features/properties/views/PropertyDetailView.vue
index 73d6521..b515755 100644
--- a/src/features/properties/views/PropertyDetailView.vue
+++ b/src/features/properties/views/PropertyDetailView.vue
@@ -160,21 +160,10 @@ async function copyAnnonce() {
     // Convert HTML to plain text while preserving line breaks
     function htmlToPlainText(html: string) {
       if (!html) return '';
-      // remove script/style blocks
-      const cleaned = html
-        .replace(/<script[\s\S]*?>[\s\S]*?<\/script>/gi, '')
-        .replace(/<style[\s\S]*?>[\s\S]*?<\/style>/gi, '');
-      // replace <br> and closing block tags with newlines
-      const withBreaks = cleaned
-        .replace(/<br\s*\/*>/gi, '\n')
-        .replace(/<\/(p|div|h[1-6]|li|ul|ol|tr|table|section|article)>/gi, '\n')
-        .replace(/<(\/)?td[^>]*>/gi, '\t');
-      // strip remaining tags
-      const stripped = withBreaks.replace(/<[^>]+>/g, '');
-      // decode HTML entities
-      const txt = document.createElement('textarea');
-      txt.innerHTML = stripped;
-      let decoded = txt.value;
+      // Use DOM parsing to safely convert HTML to text
+      const container = document.createElement('div');
+      container.innerHTML = html;
+      let decoded = (container.innerText || container.textContent || '');
       // Normalize line endings and collapse multiple blank lines
       decoded = decoded
         .replace(/\r/g, '')