Address CodeQL warnings (#351)

MikeAlhayek · web-flow · commit 6da439bc6d1d · 2026-02-28T15:09:37.000-08:00
diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml
@@ -1,7 +1,7 @@
 name: "CodeQL Config for CrestApps.OrchardCore"
 
-# This configuration file is automatically used by GitHub's default CodeQL
-# setup. It does NOT require a separate workflow file.
+# This configuration file is referenced by .github/workflows/codeql.yml.
+# It is NOT automatically used by GitHub's default CodeQL setup.
 
 # Paths to ignore during analysis.
 paths-ignore:
@@ -12,6 +12,8 @@ paths-ignore:
   - "docs/**"
   - "BenchmarkDotNet.Artifacts/**"
   - "TestResults/**"
+  # Third-party / generated files that should not be analysed.
+  - "**/Assets/js/flatpickr-culture.js"
 
 query-filters:
   # Exclude CSRF (missing antiforgery token) alerts.
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -14,7 +14,7 @@ permissions:
   contents: read
 
 jobs:
-  analyze:
+  analyze-csharp:
     name: Analyze C#
     runs-on: ubuntu-latest
     timeout-minutes: 60
@@ -41,3 +41,23 @@ jobs:
         uses: github/codeql-action/analyze@v3
         with:
           category: "/language:csharp"
+
+  analyze-javascript:
+    name: Analyze JavaScript
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: javascript-typescript
+          config-file: ./.github/codeql/codeql-config.yml
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:javascript-typescript"
diff --git a/src/Modules/CrestApps.OrchardCore.AI.Chat.Interactions/Assets/js/chat-interaction.js b/src/Modules/CrestApps.OrchardCore.AI.Chat.Interactions/Assets/js/chat-interaction.js
@@ -21,7 +21,7 @@ window.chatInteractionManager = function () {
                         </div>
                         <div class="lh-base">
                             <h4 v-if="message.title">{{ message.title }}</h4>
-                            <div v-html="message.htmlContent || message.content"></div>
+                            <div v-html="message.htmlContent"></div>
                             <span class="message-buttons-container" v-if="!isIndicator(message)">
                                 <button class="btn btn-sm btn-link text-secondary p-0 button-message-toolbox" @click="copyResponse(message.content)" title="Click here to copy response to clipboard.">
                                     <i class="fa-solid fa-copy"></i>
@@ -415,6 +415,9 @@ window.chatInteractionManager = function () {
                     }
                 },
                 addMessageInternal(message) {
+                    if (message.content && !message.htmlContent) {
+                        message.htmlContent = parseMarkdownContent(message.content, message);
+                    }
                     this.fireEvent(new CustomEvent("addingChatInteractionMessage", { detail: { message: message } }));
                     this.messages.push(message);
 
@@ -688,14 +691,14 @@ window.chatInteractionManager = function () {
                     var stopIcon = this.buttonElement.getAttribute('data-stop-icon');
 
                     if (stopIcon) {
-                        this.buttonElement.innerHTML = DOMPurify.sanitize(stopIcon);
+                        this.buttonElement.replaceChildren(DOMPurify.sanitize(stopIcon, { RETURN_DOM_FRAGMENT: true }));
                     }
                 },
                 streamingFinished() {
                     var startIcon = this.buttonElement.getAttribute('data-start-icon');
 
                     if (startIcon) {
-                        this.buttonElement.innerHTML = DOMPurify.sanitize(startIcon);
+                        this.buttonElement.replaceChildren(DOMPurify.sanitize(startIcon, { RETURN_DOM_FRAGMENT: true }));
                     }
 
                     // Directly manipulate the DOM to stop all streaming animations.
diff --git a/src/Modules/CrestApps.OrchardCore.AI.Chat.Interactions/wwwroot/scripts/chat-interaction.js b/src/Modules/CrestApps.OrchardCore.AI.Chat.Interactions/wwwroot/scripts/chat-interaction.js
@@ -29,7 +29,7 @@ window.chatInteractionManager = function () {
     downloadImageTitle: 'Download image',
     downloadChartTitle: 'Download chart as image',
     downloadChartButtonText: 'Download',
-    messageTemplate: "\n            <div class=\"ai-chat-messages\">\n                <div v-for=\"(message, index) in messages\" :key=\"index\" class=\"ai-chat-message-item\">\n                    <div>\n                        <div v-if=\"message.role === 'user'\" class=\"ai-chat-msg-role ai-chat-msg-role-user\">You</div>\n                        <div v-else-if=\"message.role !== 'indicator'\" class=\"ai-chat-msg-role ai-chat-msg-role-assistant\">\n                            <i :class=\"'fa fa-robot' + (message.isStreaming ? ' ai-streaming-icon' : ' ai-bot-icon')\"></i>\n                            Assistant\n                        </div>\n                        <div class=\"lh-base\">\n                            <h4 v-if=\"message.title\">{{ message.title }}</h4>\n                            <div v-html=\"message.htmlContent || message.content\"></div>\n                            <span class=\"message-buttons-container\" v-if=\"!isIndicator(message)\">\n                                <button class=\"btn btn-sm btn-link text-secondary p-0 button-message-toolbox\" @click=\"copyResponse(message.content)\" title=\"Click here to copy response to clipboard.\">\n                                    <i class=\"fa-solid fa-copy\"></i>\n                                </button>\n                            </span>\n                        </div>\n                    </div>\n                </div>\n            </div>\n        ",
+    messageTemplate: "\n            <div class=\"ai-chat-messages\">\n                <div v-for=\"(message, index) in messages\" :key=\"index\" class=\"ai-chat-message-item\">\n                    <div>\n                        <div v-if=\"message.role === 'user'\" class=\"ai-chat-msg-role ai-chat-msg-role-user\">You</div>\n                        <div v-else-if=\"message.role !== 'indicator'\" class=\"ai-chat-msg-role ai-chat-msg-role-assistant\">\n                            <i :class=\"'fa fa-robot' + (message.isStreaming ? ' ai-streaming-icon' : ' ai-bot-icon')\"></i>\n                            Assistant\n                        </div>\n                        <div class=\"lh-base\">\n                            <h4 v-if=\"message.title\">{{ message.title }}</h4>\n                            <div v-html=\"message.htmlContent\"></div>\n                            <span class=\"message-buttons-container\" v-if=\"!isIndicator(message)\">\n                                <button class=\"btn btn-sm btn-link text-secondary p-0 button-message-toolbox\" @click=\"copyResponse(message.content)\" title=\"Click here to copy response to clipboard.\">\n                                    <i class=\"fa-solid fa-copy\"></i>\n                                </button>\n                            </span>\n                        </div>\n                    </div>\n                </div>\n            </div>\n        ",
     indicatorTemplate: "\n            <div class=\"ai-chat-msg-role ai-chat-msg-role-assistant\">\n                <i class=\"fa fa-robot ai-streaming-icon\" style=\"display: inline-block;\"></i>\n                Assistant\n            </div>\n        ",
     // Localizable strings
     untitledText: 'Untitled',
@@ -386,6 +386,9 @@ window.chatInteractionManager = function () {
         },
         addMessageInternal: function addMessageInternal(message) {
           var _this2 = this;
+          if (message.content && !message.htmlContent) {
+            message.htmlContent = parseMarkdownContent(message.content, message);
+          }
           this.fireEvent(new CustomEvent("addingChatInteractionMessage", {
             detail: {
               message: message
@@ -724,13 +727,17 @@ window.chatInteractionManager = function () {
         streamingStarted: function streamingStarted() {
           var stopIcon = this.buttonElement.getAttribute('data-stop-icon');
           if (stopIcon) {
-            this.buttonElement.innerHTML = DOMPurify.sanitize(stopIcon);
+            this.buttonElement.replaceChildren(DOMPurify.sanitize(stopIcon, {
+              RETURN_DOM_FRAGMENT: true
+            }));
           }
         },
         streamingFinished: function streamingFinished() {
           var startIcon = this.buttonElement.getAttribute('data-start-icon');
           if (startIcon) {
-            this.buttonElement.innerHTML = DOMPurify.sanitize(startIcon);
+            this.buttonElement.replaceChildren(DOMPurify.sanitize(startIcon, {
+              RETURN_DOM_FRAGMENT: true
+            }));
           }
 
           // Directly manipulate the DOM to stop all streaming animations.
diff --git a/src/Modules/CrestApps.OrchardCore.AI.Chat.Interactions/wwwroot/scripts/chat-interaction.min.js b/src/Modules/CrestApps.OrchardCore.AI.Chat.Interactions/wwwroot/scripts/chat-interaction.min.js
diff --git a/src/Modules/CrestApps.OrchardCore.AI.Chat/Assets/js/ai-chat.js b/src/Modules/CrestApps.OrchardCore.AI.Chat/Assets/js/ai-chat.js
@@ -25,7 +25,7 @@ window.openAIChatManager = function () {
                     </div>
                     <div class="lh-base">
                         <h4 v-if="message.title">{{ message.title }}</h4>
-                        <div v-html="message.htmlContent || message.content"></div>
+                        <div v-html="message.htmlContent"></div>
                         <span class="message-buttons-container" v-if="!isIndicator(message)">
                             <template v-if="metricsEnabled && message.role === 'assistant'">
                                 <span class="ai-chat-message-assistant-feedback" :data-message-id="message.id">
@@ -517,7 +517,7 @@ window.openAIChatManager = function () {
 
                     html += '</div>';
 
-                    this.documentBar.innerHTML = DOMPurify.sanitize(html);
+                    this.documentBar.replaceChildren(DOMPurify.sanitize(html, { RETURN_DOM_FRAGMENT: true }));
 
                     // Bind remove handlers
                     var self = this;
@@ -613,6 +613,9 @@ window.openAIChatManager = function () {
                     }
                 },
                 addMessageInternal(message) {
+                    if (message.content && !message.htmlContent) {
+                        message.htmlContent = parseMarkdownContent(message.content, message);
+                    }
                     this.fireEvent(new CustomEvent("addingOpenAIPromotMessage", { detail: { message: message } }));
                     this.messages.push(message);
 
@@ -915,7 +918,7 @@ window.openAIChatManager = function () {
                     var stopIcon = this.buttonElement.getAttribute('data-stop-icon');
 
                     if (stopIcon) {
-                        this.buttonElement.innerHTML = DOMPurify.sanitize(stopIcon);
+                        this.buttonElement.replaceChildren(DOMPurify.sanitize(stopIcon, { RETURN_DOM_FRAGMENT: true }));
                     }
 
                     if (this.inputElement) {
@@ -926,7 +929,7 @@ window.openAIChatManager = function () {
                     var startIcon = this.buttonElement.getAttribute('data-start-icon');
 
                     if (startIcon) {
-                        this.buttonElement.innerHTML = DOMPurify.sanitize(startIcon);
+                        this.buttonElement.replaceChildren(DOMPurify.sanitize(startIcon, { RETURN_DOM_FRAGMENT: true }));
                     }
 
                     if (this.inputElement) {
diff --git a/src/Modules/CrestApps.OrchardCore.AI.Chat/wwwroot/scripts/ai-chat.js b/src/Modules/CrestApps.OrchardCore.AI.Chat/wwwroot/scripts/ai-chat.js
@@ -34,7 +34,7 @@ window.openAIChatManager = function () {
     thumbsUpTitle: 'Thumbs up',
     thumbsDownTitle: 'Thumbs down',
     copyTitle: 'Click here to copy response to clipboard.',
-    messageTemplate: "\n        <div class=\"ai-chat-messages\">\n            <div v-for=\"(message, index) in messages\" :key=\"index\" class=\"ai-chat-message-item\">\n                <div>\n                    <div v-if=\"message.role === 'user'\" class=\"ai-chat-msg-role ai-chat-msg-role-user\">{{ userLabel }}</div>\n                    <div v-else-if=\"message.role !== 'indicator'\" class=\"ai-chat-msg-role ai-chat-msg-role-assistant\">\n                        <i :class=\"'fa fa-robot' + (message.isStreaming ? ' ai-streaming-icon' : ' ai-bot-icon')\"></i>\n                        {{ assistantLabel }}\n                    </div>\n                    <div class=\"lh-base\">\n                        <h4 v-if=\"message.title\">{{ message.title }}</h4>\n                        <div v-html=\"message.htmlContent || message.content\"></div>\n                        <span class=\"message-buttons-container\" v-if=\"!isIndicator(message)\">\n                            <template v-if=\"metricsEnabled && message.role === 'assistant'\">\n                                <span class=\"ai-chat-message-assistant-feedback\" :data-message-id=\"message.id\">\n                                    <button class=\"btn btn-sm btn-link text-success p-0 me-2 button-message-toolbox rate-up-btn\" @click=\"rateMessage(message, true, $event)\" :title=\"thumbsUpTitle\">\n                                        <i class=\"fa-regular fa-thumbs-up\"></i>\n                                    </button>\n                                    <button class=\"btn btn-sm btn-link text-danger p-0 me-2 button-message-toolbox rate-down-btn\" @click=\"rateMessage(message, false, $event)\" :title=\"thumbsDownTitle\">\n                                        <i class=\"fa-regular fa-thumbs-down\"></i>\n                                    </button>\n                                </span>\n                            </template>\n                            <button class=\"btn btn-sm btn-link text-secondary p-0 button-message-toolbox\" @click=\"copyResponse(message.content)\" :title=\"copyTitle\">\n                                <i class=\"fa-solid fa-copy\"></i>\n                            </button>\n                        </span>\n                    </div>\n                </div>\n            </div>\n        </div>\n    ",
+    messageTemplate: "\n        <div class=\"ai-chat-messages\">\n            <div v-for=\"(message, index) in messages\" :key=\"index\" class=\"ai-chat-message-item\">\n                <div>\n                    <div v-if=\"message.role === 'user'\" class=\"ai-chat-msg-role ai-chat-msg-role-user\">{{ userLabel }}</div>\n                    <div v-else-if=\"message.role !== 'indicator'\" class=\"ai-chat-msg-role ai-chat-msg-role-assistant\">\n                        <i :class=\"'fa fa-robot' + (message.isStreaming ? ' ai-streaming-icon' : ' ai-bot-icon')\"></i>\n                        {{ assistantLabel }}\n                    </div>\n                    <div class=\"lh-base\">\n                        <h4 v-if=\"message.title\">{{ message.title }}</h4>\n                        <div v-html=\"message.htmlContent\"></div>\n                        <span class=\"message-buttons-container\" v-if=\"!isIndicator(message)\">\n                            <template v-if=\"metricsEnabled && message.role === 'assistant'\">\n                                <span class=\"ai-chat-message-assistant-feedback\" :data-message-id=\"message.id\">\n                                    <button class=\"btn btn-sm btn-link text-success p-0 me-2 button-message-toolbox rate-up-btn\" @click=\"rateMessage(message, true, $event)\" :title=\"thumbsUpTitle\">\n                                        <i class=\"fa-regular fa-thumbs-up\"></i>\n                                    </button>\n                                    <button class=\"btn btn-sm btn-link text-danger p-0 me-2 button-message-toolbox rate-down-btn\" @click=\"rateMessage(message, false, $event)\" :title=\"thumbsDownTitle\">\n                                        <i class=\"fa-regular fa-thumbs-down\"></i>\n                                    </button>\n                                </span>\n                            </template>\n                            <button class=\"btn btn-sm btn-link text-secondary p-0 button-message-toolbox\" @click=\"copyResponse(message.content)\" :title=\"copyTitle\">\n                                <i class=\"fa-solid fa-copy\"></i>\n                            </button>\n                        </span>\n                    </div>\n                </div>\n            </div>\n        </div>\n    ",
     indicatorTemplate: "\n        <div class=\"ai-chat-msg-role ai-chat-msg-role-assistant\">\n            <i class=\"fa fa-robot ai-streaming-icon\" style=\"display: inline-block;\"></i>\n            Assistant\n        </div>\n    "
   };
 
@@ -528,7 +528,9 @@ window.openAIChatManager = function () {
           }
           html += '</button>';
           html += '</div>';
-          this.documentBar.innerHTML = DOMPurify.sanitize(html);
+          this.documentBar.replaceChildren(DOMPurify.sanitize(html, {
+            RETURN_DOM_FRAGMENT: true
+          }));
 
           // Bind remove handlers
           var self = this;
@@ -631,6 +633,9 @@ window.openAIChatManager = function () {
         },
         addMessageInternal: function addMessageInternal(message) {
           var _this4 = this;
+          if (message.content && !message.htmlContent) {
+            message.htmlContent = parseMarkdownContent(message.content, message);
+          }
           this.fireEvent(new CustomEvent("addingOpenAIPromotMessage", {
             detail: {
               message: message
@@ -977,7 +982,9 @@ window.openAIChatManager = function () {
         streamingStarted: function streamingStarted() {
           var stopIcon = this.buttonElement.getAttribute('data-stop-icon');
           if (stopIcon) {
-            this.buttonElement.innerHTML = DOMPurify.sanitize(stopIcon);
+            this.buttonElement.replaceChildren(DOMPurify.sanitize(stopIcon, {
+              RETURN_DOM_FRAGMENT: true
+            }));
           }
           if (this.inputElement) {
             this.inputElement.setAttribute('disabled', 'disabled');
@@ -986,7 +993,9 @@ window.openAIChatManager = function () {
         streamingFinished: function streamingFinished() {
           var startIcon = this.buttonElement.getAttribute('data-start-icon');
           if (startIcon) {
-            this.buttonElement.innerHTML = DOMPurify.sanitize(startIcon);
+            this.buttonElement.replaceChildren(DOMPurify.sanitize(startIcon, {
+              RETURN_DOM_FRAGMENT: true
+            }));
           }
           if (this.inputElement) {
             this.inputElement.removeAttribute('disabled');
diff --git a/src/Modules/CrestApps.OrchardCore.AI.Chat/wwwroot/scripts/ai-chat.min.js b/src/Modules/CrestApps.OrchardCore.AI.Chat/wwwroot/scripts/ai-chat.min.js
