Potential fix for code scanning alert no. 1: Incomplete string escaping or encoding #12
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR fixes a security vulnerability (code scanning alert #1) related to incomplete string escaping in the localization key handling. The fix ensures that both backslashes and curly braces are properly escaped in the correct order to prevent double-escaping issues.
Key Changes:
- Updated
escapeKeyto escape backslashes first, then curly braces (critical for correctness) - Updated
unescapeKeyto reverse the escaping operations in the correct order - Updated JSON locale files to reflect the new escaping format with properly escaped backslashes
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
lib/common/escapeKey.ts |
Implements two-step escaping: backslashes first (\ → \), then curly braces ({ → {), with clear comments explaining the order |
lib/common/unescapeKey.ts |
Adds backslash unescaping (\ \ → ) to complement the brace unescaping, reversing the escape operations in correct order |
example/locales/en.json |
Updates escape test key with correct triple-backslash sequence and adds new error message keys |
example/locales/de.json |
Mirrors the English locale changes for consistency |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Potential fix for https://github.com/wuespace/honolate/security/code-scanning/1
To correctly escape both curly braces and backslashes, the function should first escape existing backslashes by replacing each single backslash (
\) with double backslashes (\\). After that, it can escape curly braces. The correct order is critical: escaping backslashes first ensures we don't accidentally double-escape any newly-introduced backslashes from the{escaping step. The fix should update theescapeKeyfunction inlib/common/escapeKey.tsto first replace all backslashes with double backslashes, then replace all curly braces with a backslash and curly brace. Both operations should use regular expressions with the global flag to ensure all occurrences are replaced. No new imports are needed; standard JavaScriptreplacewith regex suffices.Suggested fixes powered by Copilot Autofix. Review carefully before merging.