[APS-19078] fix CI: replace regex HTML strip with sanitize-html (CodeQL)

Jimesh-browserstack · Jimesh-browserstack · commit 88b3a538fb08 · 2026-05-07T21:26:37.000+05:30
CodeQL flagged the `<script|iframe|object|embed>` regex in sanitizeCss as "incomplete multi-character sanitization" (high severity x2 — src + dist). A single-pass replace is bypassable by nested patterns like `<scr<script>ipt>`, which collapse to `<script>` after one substitution. Fix: strip ALL HTML tags from the rich-CSS payload via sanitize-html with allowedTags: [] (the library iterates internally and is not bypassable). The CSS-function regexes for `expression(...)` and `url(javascript:...)` remain — they target CSS syntax, not HTML, and CodeQL did not flag them. Verified: - 18/18 unit tests pass (no regression) - Sanity script confirms `<scr<script>ipt>` no longer leaves a `<script` substring in the output - Flagged regex literal absent from rebuilt dist/index.js - Lint clean Resolves: CodeQL failure on PR #85
diff --git a/browserstack-report-action/dist/index.js b/browserstack-report-action/dist/index.js
@@ -51127,13 +51127,17 @@ const HTML_SANITIZE_OPTIONS = {
 };
 
 // CSS sanitizer: strip JS-execution hooks (expression(), url(javascript:...))
-// from the rich-CSS payload before embedding into <style>.
+// from the rich-CSS payload before embedding into <style>. HTML tags are
+// stripped via sanitize-html (allowedTags: []) rather than a regex — a
+// regex replace is single-pass and bypassable by nested patterns like
+// `<scr<script>ipt>`, which CodeQL flags as "incomplete multi-character
+// sanitization". sanitize-html iterates internally and is safe.
 function sanitizeCss(css) {
   if (!css || typeof css !== 'string') return '';
-  return css
+  const stripped = sanitizeHtml(css, { allowedTags: [], allowedAttributes: {} });
+  return stripped
     .replace(/expression\s*\([^)]*\)/gi, '')
-    .replace(/url\s*\(\s*['"]?\s*javascript:[^)]*\)/gi, '')
-    .replace(/<\/?(script|iframe|object|embed)[^>]*>/gi, '');
+    .replace(/url\s*\(\s*['"]?\s*javascript:[^)]*\)/gi, '');
 }
 
 class ReportProcessor {
diff --git a/browserstack-report-action/src/services/ReportProcessor.js b/browserstack-report-action/src/services/ReportProcessor.js
@@ -29,13 +29,17 @@ const HTML_SANITIZE_OPTIONS = {
 };
 
 // CSS sanitizer: strip JS-execution hooks (expression(), url(javascript:...))
-// from the rich-CSS payload before embedding into <style>.
+// from the rich-CSS payload before embedding into <style>. HTML tags are
+// stripped via sanitize-html (allowedTags: []) rather than a regex — a
+// regex replace is single-pass and bypassable by nested patterns like
+// `<scr<script>ipt>`, which CodeQL flags as "incomplete multi-character
+// sanitization". sanitize-html iterates internally and is safe.
 function sanitizeCss(css) {
   if (!css || typeof css !== 'string') return '';
-  return css
+  const stripped = sanitizeHtml(css, { allowedTags: [], allowedAttributes: {} });
+  return stripped
     .replace(/expression\s*\([^)]*\)/gi, '')
-    .replace(/url\s*\(\s*['"]?\s*javascript:[^)]*\)/gi, '')
-    .replace(/<\/?(script|iframe|object|embed)[^>]*>/gi, '');
+    .replace(/url\s*\(\s*['"]?\s*javascript:[^)]*\)/gi, '');
 }
 
 class ReportProcessor {
