fix(webview-ui): resolve CodeQL warning in stripCData by handling HTML-encoded CDATA markers and removing no-op replacement

hannesrudolph · hannesrudolph · commit acbc39d51641 · 2025-10-30T14:39:21.000-06:00
diff --git a/webview-ui/src/utils/diffUtils.ts b/webview-ui/src/utils/diffUtils.ts
@@ -55,11 +55,11 @@ function isSearchReplace(s: string): boolean {
 function stripCData(s: string): string {
 	return (
 		s
-			// HTML-encoded CDATA open
+			// HTML-encoded CDATA open -> raw, then strip raw
 			.replace(/<!\[CDATA\[/g, "<![CDATA[")
-			// CDATA open
 			.replace(/<!\[CDATA\[/g, "")
-			// CDATA close (both encoded and raw)
+			// HTML-encoded CDATA close -> raw, then strip raw
+			.replace(/\]\]>/g, "]]>")
 			.replace(/\]\]>/g, "")
 	)
 }

Original file line number	Diff line number	Diff line change
`@@ -55,11 +55,11 @@ function isSearchReplace(s: string): boolean {`
`55`	`55`	`function stripCData(s: string): string {`
`56`	`56`	`return (`
`57`	`57`	`s`
`58`		`- // HTML-encoded CDATA open`
	`58`	`+ // HTML-encoded CDATA open -> raw, then strip raw`
`59`	`59`	`.replace(/<!\[CDATA\[/g, "<![CDATA[")`
`60`		`- // CDATA open`
`61`	`60`	`.replace(/<!\[CDATA\[/g, "")`
`62`		`- // CDATA close (both encoded and raw)`
	`61`	`+ // HTML-encoded CDATA close -> raw, then strip raw`
	`62`	`+ .replace(/\]\]>/g, "]]>")`
`63`	`63`	`.replace(/\]\]>/g, "")`
`64`	`64`	`)`
`65`	`65`	`}`