Skip to content

fix(editor): handle --!> when stripping XML comment markers#66

Merged
linusdevx merged 1 commit into
devfrom
fix/comment-strip-handles-bang-end
Jun 23, 2026
Merged

fix(editor): handle --!> when stripping XML comment markers#66
linusdevx merged 1 commit into
devfrom
fix/comment-strip-handles-bang-end

Conversation

@linusdevx

Copy link
Copy Markdown
Owner

What

One-line fix to the XML toggle-comment command so it strips both --> and --!> from the end of commented lines.

-        const stripped = line.replace(/^(\s*)<!--\s?/, '$1').replace(/\s?-->(\s*)$/, '$1');
+        const stripped = line.replace(/^(\s*)<!--\s?/, '$1').replace(/\s?--!?>(\s*)$/, '$1');

Why

CodeQL alert #1 (js/bad-tag-filter, security-severity: high) flagged this regex as a bad-HTML-filtering pattern. After triage:

  • The flag is technically a false positive in this context — the regex output is fed into Monaco's text buffer via editor.executeEdits(), never innerHTML'd or otherwise rendered as HTML. There's no XSS or sanitization-bypass risk; the user is editing their own document.
  • But the underlying incompleteness is real. Per the HTML spec, comments can legally end with --!> as well as --> (see Comment end bang state). Without the fix, toggling-off a comment that used the bang form would leave a dangling --!> on the line.

Fixing the regex is one character (!?) and a better story than dismissing the alert.

Verification

  • npm run build passes locally (Vite 6.4.3, 121ms)
  • E2E tests will run on this PR
  • The CodeQL re-scan triggered by this PR should auto-close alert XPATH Changes #1

The toggle-comment command stripped --> but not --!>, the rare-but-legal
HTML comment-end-bang form. Browsers (and the HTML spec) treat both as
valid comment terminators; toggling-off a buffer that used the bang form
would leave a stray --!> on the line.

Side benefit: closes CodeQL alert #1 (js/bad-tag-filter) on this line.
The alert was technically a false positive — the regex output is fed
into Monaco's text buffer, never rendered as HTML — but the underlying
incompleteness was real, so it's worth fixing rather than dismissing.
@linusdevx linusdevx merged commit 08e6932 into dev Jun 23, 2026
2 of 3 checks passed
@linusdevx linusdevx deleted the fix/comment-strip-handles-bang-end branch June 23, 2026 02:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant