Merge pull request #6 from soderlind/security/fix

Potential fix for code scanning alert no. 3: Incomplete string escaping or encoding

Author: soderlind

CHANGELOG.md

@@ -3,6 +3,15 @@
 ### Fixed
 - wordpress.org tabbed theme now detects FAQ content even when the section is titled "Frequently Asked Questions" or appears out of the typical order. Sections are scanned globally and mapped to canonical tabs (description, installation, faq, changelog) irrespective of order.
 
+## [0.1.8] - 2025-10-21
+### Fixed
+- Auto-fix single-line fenced code now safely escapes backslashes before backticks preventing malformed inline code when content contains `\` and `` ` `` characters.
+- Validator emphasis balancing logic now uses a robust regex escape preventing false positives on tokens with special regex metacharacters.
+### Changed
+- README cleaned: removed outdated 0.1.5 update banner to keep intro concise.
+### Security
+- Addresses code scanning warning related to incomplete string escaping for inline code conversion and emphasis token detection.
+
 
 All notable changes to this project will be documented in this file.
 
@@ -76,6 +85,7 @@ The format is based on Keep a Changelog (https://keepachangelog.com/en/1.0.0/) a
 
 [0.1.6]: https://github.com/soderlind/wordpress-readme-preview/compare/v0.1.5...v0.1.6
 [0.1.7]: https://github.com/soderlind/wordpress-readme-preview/compare/v0.1.6...v0.1.7
+[0.1.8]: https://github.com/soderlind/wordpress-readme-preview/compare/v0.1.7...v0.1.8
 [0.1.4]: https://github.com/soderlind/wordpress-readme-preview/compare/v0.1.3...v0.1.4
 [0.1.5]: https://github.com/soderlind/wordpress-readme-preview/compare/v0.1.4...v0.1.5
 [0.1.3]: https://github.com/soderlind/wordpress-readme-preview/compare/v0.1.1...v0.1.3

package-lock.json

@@ -2,7 +2,7 @@
 	"name": "wordpress-readme-preview",
 	"displayName": "WordPress Readme",
 	"description": "Preview, validate, and edit WordPress readme.txt files with syntax highlighting, IntelliSense, and accurate rendering",
-	"version": "0.1.7",
+	"version": "0.1.8",
 	"publisher": "persoderlind",
 	"engines": {
 		"vscode": "^1.74.0"

package.json

@@ -74,7 +74,9 @@ export function autoFixReadme(raw: string, options?: { multiLineStyle?: 'indente
       } else if (block.length === 1) {
         // single line -> inline code
         const content = block[0].trim();
-        const inline = '`' + content.replace(/`/g, '\\`') + '`';
+        // Escape backslashes, then backticks
+        const escapedContent = content.replace(/\\/g, '\\\\').replace(/`/g, '\\`');
+        const inline = '`' + escapedContent + '`';
         output.push(inline);
         changes.push(`Converted single-line fenced block at line ${startIndex + 1} to inline code`);
       } else {

src/autoFix.ts

@@ -461,7 +461,10 @@ export class ReadmeValidator {
     });
 
     // 3. Unmatched emphasis markers (simple heuristic)
-    const countMatches = (text: string, token: string) => (text.match(new RegExp(token.replace(/([*~`])/g,'\\$1'),'g')) || []).length;
+    function escapeRegExp(s: string): string {
+      return s.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+    }
+    const countMatches = (text: string, token: string) => (text.match(new RegExp(escapeRegExp(token),'g')) || []).length;
     const totalDoubleAsterisk = countMatches(readme.rawContent, '**');
     if (totalDoubleAsterisk % 2 === 1) {
       warnings.push({