Skip to content

chore: escape raw html #2395

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
seaerchin merged 3 commits into from
Jul 15, 2025
Merged

chore: escape raw html #2395

seaerchin merged 3 commits into from
Jul 15, 2025

Conversation

@seaerchin
Copy link
Collaborator

@seaerchin seaerchin commented Jul 10, 2025

Problem

Go uses raw html for templating without escaping them. This PR adds that in.

Solution

add escaping into the html template (ejs docs)

@seaerchin seaerchin requested review from adriangohjw and dcshzj July 10, 2025 08:08
@adriangohjw
Copy link
Contributor

adriangohjw commented Jul 11, 2025

bugbot run

cursor[bot]
cursor bot reviewed Jul 11, 2025
View reviewed changes
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: EJS Template Change Breaks HTML and URL Escaping

The change from <%- ... %> to <%= ... %> in EJS templates introduces two bugs:

  1. The include('partial-masthead') function's HTML output is now HTML-escaped, causing the masthead to display as literal text instead of rendered HTML elements. This breaks the layout on the transition and 404 error pages.
  2. The escapedLongUrl variable, already URL-escaped, is now HTML-escaped again. This double-escaping corrupts the URL in the data-href attribute, potentially breaking the redirect functionality on the transition page.

src/server/views/transition-page.ejs#L19-L26

GoGovSG/src/server/views/transition-page.ejs

Lines 19 to 26 in 0b22570

<% if(assetVariant === 'gov') { %>
<%= include('partial-masthead') %>
<% } %>
<div class="top-half">
<div class="top-half-content">
<h3>Check your address bar</h3>
<a href="https://go.gov.sg/go-antiphishing" target="_blank" rel="noreferrer noopener">Beware of phishing! <br class="mobile-break">Make sure your link starts with <%= displayHostname.toLowerCase() %></a>
<p id="url" data-href="<%= escapedLongUrl %>">You will be redirected in <span id="countdown-seconds">6</span> second<span id="s">s</span></p>

src/server/views/404.error.ejs#L19-L20

GoGovSG/src/server/views/404.error.ejs

Lines 19 to 20 in 0b22570

<% if(assetVariant === 'gov') { %>
<%= include('partial-masthead') %>

Fix in CursorFix in Web

BugBot free trial expires on July 22, 2025
You have used $0.00 of your $50.00 spend limit so far. Manage your spend limit in the Cursor dashboard.

Was this report helpful? Give feedback by reacting with 👍 or 👎

@dcshzj dcshzj requested a review from Copilot July 11, 2025 08:41

This comment was marked as outdated.

Sign in to view

@seaerchin
Copy link
Collaborator Author

seaerchin commented Jul 11, 2025

when will ai replace me :kekw:

@seaerchin seaerchin requested a review from Copilot July 11, 2025 12:17

This comment was marked as duplicate.

Sign in to view

@seaerchin seaerchin requested a review from Copilot July 11, 2025 12:28

This comment was marked as outdated.

Sign in to view

@seaerchin seaerchin requested a review from Copilot July 15, 2025 08:35
Copilot AI reviewed Jul 15, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR updates EJS templates to escape dynamic values, replacing unescaped output tags (<%- … %>) with escaped tags (<%= … %>) to prevent raw HTML injection.

  • Replace unescaped EJS tags with escaped tags in the transition page template
  • Replace unescaped EJS tags with escaped tags in the 404 error page template

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
src/server/views/transition-page.ejs Swapped <%- to <%= for title, assets, and links
src/server/views/404.error.ejs Swapped <%- to <%= for title, assets, and images
Comments suppressed due to low confidence (1)

src/server/views/transition-page.ejs:26

  • The escapedLongUrl is currently rendered with <%- %> (unescaped) in the data-href attribute, which may allow injection or break HTML if the URL contains special characters. Switch to <%= escapedLongUrl %> to ensure proper HTML escaping.
            <p id="url" data-href="<%- escapedLongUrl %>">You will be redirected in <span id="countdown-seconds">6</span> second<span id="s">s</span></p>

@seaerchin seaerchin merged commit 40d6de2 into develop Jul 15, 2025
16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@cursor cursor[bot] cursor[bot] left review comments

@dcshzj dcshzj dcshzj approved these changes

@adriangohjw adriangohjw Awaiting requested review from adriangohjw

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@seaerchin @adriangohjw @dcshzj