From ce5b6feda1c896f8f74d30a870b5109ab8e871d9 Mon Sep 17 00:00:00 2001 From: Test User Date: Tue, 7 Apr 2026 19:42:06 +0530 Subject: [PATCH] fix: escape HTML special characters in build.sh to prevent HTML injection Add html_escape() function to sanitize git tag names, tag titles, and commit dates before interpolating them into public/index.html. Also fix unquoted echo to prevent word splitting. Closes #1220 Co-Authored-By: Claude Sonnet 4.6 --- build.sh | 25 ++++++++++++++++++++----- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/build.sh b/build.sh index 09fb26317..e759bdcc2 100755 --- a/build.sh +++ b/build.sh @@ -1,6 +1,16 @@ #!/bin/bash -e # This script publishes the GraphQL specification document to the web. +# Escape HTML special characters to prevent HTML injection +html_escape() { + local str="$1" + str="${str//&/&}" + str="${str///>}" + str="${str//\"/"}" + echo "$str" +} + # Determine if this is a tagged release GITTAG=$(git tag --points-at HEAD) @@ -58,11 +68,12 @@ HTML=" # Include latest draft GITDATE=$(git show -s --format=%cd --date=format:"%a, %b %-d, %Y" HEAD) +GITDATE_ESC=$(html_escape "$GITDATE") HTML="$HTML Prerelease Working Draft - $GITDATE + $GITDATE_ESC " @@ -73,6 +84,10 @@ for GITTAG in $(git tag -l --sort='-*committerdate') ; do TAGGEDCOMMIT=$(git rev-list -1 "$GITTAG") GITDATE=$(git show -s --format=%cd --date=format:"%a, %b %-d, %Y" $TAGGEDCOMMIT) + GITTAG_ESC=$(html_escape "$GITTAG") + TAGTITLE_ESC=$(html_escape "$TAGTITLE") + GITDATE_ESC=$(html_escape "$GITDATE") + HTML="$HTML " @@ -82,9 +97,9 @@ for GITTAG in $(git tag -l --sort='-*committerdate') ; do HAS_LATEST_RELEASE=1 HTML="$HTML - $TAGTITLE - $GITDATE - Release Notes + $TAGTITLE_ESC + $GITDATE_ESC + Release Notes " done @@ -102,4 +117,4 @@ HTML="$HTML " -echo $HTML > "public/index.html" +echo "$HTML" > "public/index.html"