Potential fix for code scanning alert no. 6: Incomplete multi-character sanitization

[aamoghS]

Potential fix for https://github.com/DataScience-GT/query/security/code-scanning/6

In general, the problem is that the sanitizer attempts to remove whole multi‑character patterns (e.g., an entire <script>...</script> block) in a single .replace pass. When nested or overlapping constructs exist, removing one occurrence can cause the remainder of the string to form a new, still‑dangerous pattern that is not subsequently removed. To fix this without changing broader behavior, we can either (a) repeatedly apply the existing regex replacements until the string stops changing, or (b) switch to a proven sanitization library. Staying within the existing file and without adding new dependencies, the least invasive and safest fix is to loop the current replacements until no more modifications occur.

Concretely, inside sanitizeInput, in the typeof input === 'string' branch (around lines 39–49), we should:

1. Replace the current chained .replace(...).replace(...).trim().slice(...) with a small loop:
   • Initialize a sanitized variable to input.
   • In a do { ... } while (sanitized !== previous); loop, repeatedly apply the same series of .replace calls to sanitized.
   • After the loop stabilizes (no changes between iterations), then apply .trim().slice(0, 10000) once.
2. Keep all existing regexes and truncation behavior unchanged; only add the repetition logic.

This ensures that if removing one pattern exposes another instance of any of the targeted patterns (like <script), subsequent iterations will remove those as well until the string is stable. No new imports or helpers are required, and behavior for well‑formed, non‑malicious inputs remains effectively the same except for potentially performing multiple passes.

---

Suggested fixes powered by Copilot Autofix. Review carefully before merging.