fix CodeQL warnings

Nelson-numerical-software · Nelson-numerical-software · commit 0aaeeb274f15 · 2025-10-21T14:56:43.000+02:00
diff --git a/modules/help_tools/resources/help_viewer.html b/modules/help_tools/resources/help_viewer.html
@@ -189,7 +189,7 @@
       }
 
       // Public actions
-      function searchHelp(term) {
+      function searchHelp(term = '') {
         const normalizedTerm = (term || '').trim();
         if (!normalizedTerm) {
           alert(messages[lang].enter_search);
@@ -273,8 +273,22 @@
         if (searchTerm) {
           searchInput.value = searchTerm.trim();
         }
-        if (openPage) {
+        // Only allow openPage to be a safe relative path (no absolute URLs or protocol handlers)
+        function isSafeRelativePath(p) {
+          // No protocol, not starting with //, only allowed chars, no javascript: etc.
+          if (!p || typeof p !== "string") return false;
+          if (/^\s*$/.test(p)) return false;
+          if (/^[a-z][a-z0-9+\-.]*:/i.test(p)) return false; // Disallow any protocol like http: or javascript:
+          if (/^\/\//.test(p)) return false; // Disallow protocol-relative URLs
+          if (/[<>:"|?*\\]/.test(p)) return false; // Disallow special chars
+          // Allow only paths like foo/bar.html, /foo/bar or ./foo
+          return /^[\w\-\/\.\@]+$/.test(p);
+        }
+        if (openPage && isSafeRelativePath(openPage)) {
           navigateToPage(openPage);
+        } else if (openPage) {
+          // Optionally log/ignore invalid path
+          console.warn("Blocked potentially unsafe openPage value:", openPage);
         } else if (searchTerm) {
           searchHelp(searchTerm);
         }
diff --git a/modules/help_tools/resources/nelson_help.js b/modules/help_tools/resources/nelson_help.js
@@ -85,6 +85,7 @@
 
       prepareMathJaxV3Config();
       var local = "../tex-mml-chtml.js";
+
       var cdn = "https://cdn.jsdelivr.net/npm/mathjax@3/es5/tex-mml-chtml.js";
 
       function onLoad() {
diff --git a/modules/help_tools/resources/search_results.html b/modules/help_tools/resources/search_results.html
@@ -35,6 +35,20 @@ <h1 class="search-results-title"></h1>
   
   <!-- localized behavior: detect lang, apply messages, append lang to links -->
   <script>
+    function escapeHTML(str) {
+      if (!str) return '';
+      return str.replace(/[&<>"']/g, function (m) {
+        switch (m) {
+          case '&': return '&amp;';
+          case '<': return '&lt;';
+          case '>': return '&gt;';
+          case '"': return '&quot;';
+          case "'": return '&#39;';
+          default: return m;
+        }
+      });
+    }
+    
     function getQueryParam(name) {
       const params = new URLSearchParams(window.location.search);
       return params.get(name);
@@ -56,8 +70,8 @@ <h1 class="search-results-title"></h1>
         loading: 'Loading search index...',
         index_empty: 'Warning: Search index is empty or could not be loaded.',
         no_query: 'No search term provided.',
-        found_results: (n, q) => `Found ${n} results for <strong>${q}</strong>:`,
-        no_results_for: q => `No results found for <strong>${q}</strong>.`,
+        found_results: (n, q) => `Found ${n} results for <strong>${escapeHTML(q)}</strong>:`,
+        no_results_for: q => `No results found for <strong>${escapeHTML(q)}</strong>.`,
         popular_topics: 'Popular topics:',
         home_aria: 'Back to help homepage'
       },
@@ -66,8 +80,8 @@ <h1 class="search-results-title"></h1>
         loading: "Chargement de l'index de recherche...",
         index_empty: "Attention : l'index de recherche est vide ou n'a pas pu être chargé.",
         no_query: "Aucun terme de recherche fourni.",
-        found_results: (n, q) => `Trouvé ${n} résultat(s) pour <strong>${q}</strong> :`,
-        no_results_for: q => `Aucun résultat pour <strong>${q}</strong>.`,
+        found_results: (n, q) => `Trouvé ${n} résultat(s) pour <strong>${escapeHTML(q)}</strong> :`,
+        no_results_for: q => `Aucun résultat pour <strong>${escapeHTML(q)}</strong>.`,
         popular_topics: 'Sujets populaires :',
         home_aria: "Retour à la page d'accueil de l'aide"
       }
@@ -211,7 +225,7 @@ <h1 class="search-results-title"></h1>
         if (helpIndex.length === 0) {
           resultsDiv.innerHTML = `<p>${msg.index_empty}</p>`;
           if (query) {
-            resultsDiv.innerHTML += `<p>${msg.no_results_for(query)}</p>`;
+            resultsDiv.innerHTML += `<p>${msg.no_results_for(escapeHTML(query))}</p>`;
           }
           return;
         }
@@ -226,13 +240,16 @@ <h1 class="search-results-title"></h1>
             
             results.forEach(result => {
               const href = appendLangToUrl(result.url || result.path || './homepage.html');
-              html += `
-                <div class="result-item">
-                  <h3><a href="${href}" target="contentFrame">${result.title}</a></h3>
-                  <p>${result.snippet}</p>
-                  <small>${result.path || ''}</small>
-                </div>
-              `;
+              const safeTitle = escapeHTML(result.title || '');
+              const safeSnippet = escapeHTML(result.snippet || '');
+              const safePath = escapeHTML(result.path || '');
+               html += `
+                 <div class="result-item">
+                   <h3><a href="${href}" target="contentFrame">${safeTitle}</a></h3>
+                   <p>${safeSnippet}</p>
+                   <small>${safePath}</small>
+                 </div>
+               `;
             });
             
             resultsDiv.innerHTML = html;
@@ -245,17 +262,18 @@ <h3><a href="${href}" target="contentFrame">${result.title}</a></h3>
             let html = `<p>${msg.popular_topics}</p>`;
             topResults.forEach(result => {
               const href = appendLangToUrl(result.url || result.path || './homepage.html');
-              html += `
-                <div class="result-item">
-                  <h3><a href="${href}" target="contentFrame">${result.title}</a></h3>
-                </div>
-              `;
-            });
+              const safeTitle = escapeHTML(result.title || '');
+               html += `
+                 <div class="result-item">
+                   <h3><a href="${href}" target="contentFrame">${safeTitle}</a></h3>
+                 </div>
+               `;
+             });
             resultsDiv.innerHTML += html;
           }
         }
       } catch (error) {
-        resultsDiv.innerHTML = `<p>Error loading search index: ${error && error.message ? error.message : error}</p>`;
+        resultsDiv.innerHTML = `<p>Error loading search index: ${escapeHTML(error && error.message ? error.message : error)}</p>`;
       }
     }
     
