Re: [PR] address DOM text reinterpreted as HTML alert [beam]

via GitHub Fri, 12 Jun 2026 10:01:46 -0700


gemini-code-assist[bot] commented on code in PR #38949:
URL: https://github.com/apache/beam/pull/38949#discussion_r3404960554



##########
website/www/site/assets/js/bootstrap.js:
##########
@@ -109,7 +109,7 @@ if (typeof jQuery === 'undefined') {
       selector = selector && selector.replace(/.*(?=#[^\s]*$)/, '') // strip 
for ie7
     }
 
-    var $parent = $(selector)
+    var $parent = $(document).find(selector)

Review Comment:
   ![high](https://www.gstatic.com/codereviewagent/high-priority.svg)
   
   If `selector` is falsy (e.g., `undefined` or `""`), calling 
`$(document).find(selector)` will throw a `SyntaxError` in jQuery (unlike 
`$(selector)` which safely returns an empty jQuery collection). To prevent 
runtime errors when `data-target` or `href` are missing or empty, we should 
guard the call and return an empty jQuery object if `selector` is falsy.
   
   ```suggestion
       var $parent = selector ? $(document).find(selector) : $()
   ```



##########
website/www/site/assets/js/bootstrap.js:
##########
@@ -502,7 +502,8 @@ if (typeof jQuery === 'undefined') {
   var clickHandler = function (e) {
     var href
     var $this   = $(this)
-    var $target = $($this.attr('data-target') || (href = $this.attr('href')) 
&& href.replace(/.*(?=#[^\s]+$)/, '')) // strip for ie7
+    var selector = $this.attr('data-target') || (href = $this.attr('href')) && 
href.replace(/.*(?=#[^\s]+$)/, '') // strip for ie7
+    var $target = $(document).find(selector)

Review Comment:
   ![high](https://www.gstatic.com/codereviewagent/high-priority.svg)
   
   If `selector` is falsy, calling `$(document).find(selector)` will throw a 
`SyntaxError`. We should guard against falsy values and return an empty jQuery 
collection instead.
   
   ```suggestion
       var selector = $this.attr('data-target') || (href = $this.attr('href')) 
&& href.replace(/.*(?=#[^\s]+$)/, '') // strip for ie7
       var $target = selector ? $(document).find(selector) : $()
   ```



##########
website/www/site/assets/js/bootstrap.js:
##########
@@ -1550,11 +1552,18 @@ if (typeof jQuery === 'undefined') {
       .css(isVertical ? 'top' : 'left', '')
   }
 
+  function sanitizeHtml(string) {
+    if (typeof DOMPurify !== 'undefined') {
+      return DOMPurify.sanitize(string)
+    }
+    return string
+  }
+
   Tooltip.prototype.setContent = function () {
     var $tip  = this.tip()
     var title = this.getTitle()
 
-    $tip.find('.tooltip-inner')[this.options.html ? 'html' : 'text'](title)
+    $tip.find('.tooltip-inner')[this.options.html ? 'html' : 
'text'](sanitizeHtml(title))

Review Comment:
   ![high](https://www.gstatic.com/codereviewagent/high-priority.svg)
   
   Sanitizing the tooltip title when `html` is `false` can cause unexpected 
regressions. For example, plain text tooltips containing characters like `<` or 
`>` (or custom tag-like text) might have their content stripped or corrupted by 
`DOMPurify`. Since jQuery's `.text()` method already safely escapes HTML 
characters, we should only apply `sanitizeHtml` when `this.options.html` is 
`true`.
   
   ```suggestion
       $tip.find('.tooltip-inner')[this.options.html ? 'html' : 
'text'](this.options.html ? sanitizeHtml(title) : title)
   ```



##########
website/www/site/assets/js/bootstrap/carousel.js:
##########
@@ -208,7 +208,8 @@
   var clickHandler = function (e) {
     var href
     var $this   = $(this)
-    var $target = $($this.attr('data-target') || (href = $this.attr('href')) 
&& href.replace(/.*(?=#[^\s]+$)/, '')) // strip for ie7
+    var selector = $this.attr('data-target') || (href = $this.attr('href')) && 
href.replace(/.*(?=#[^\s]+$)/, '') // strip for ie7
+    var $target = $(document).find(selector)

Review Comment:
   ![high](https://www.gstatic.com/codereviewagent/high-priority.svg)
   
   If `selector` is falsy, calling `$(document).find(selector)` will throw a 
`SyntaxError`. We should guard against falsy values and return an empty jQuery 
collection instead.
   
   ```suggestion
       var selector = $this.attr('data-target') || (href = $this.attr('href')) 
&& href.replace(/.*(?=#[^\s]+$)/, '') // strip for ie7
       var $target = selector ? $(document).find(selector) : $()
   ```



##########
website/www/site/assets/js/bootstrap/modal.js:
##########
@@ -320,7 +320,8 @@
   $(document).on('click.bs.modal.data-api', '[data-toggle="modal"]', function 
(e) {
     var $this   = $(this)
     var href    = $this.attr('href')
-    var $target = $($this.attr('data-target') || (href && 
href.replace(/.*(?=#[^\s]+$)/, ''))) // strip for ie7
+    var selector = $this.attr('data-target') || (href && 
href.replace(/.*(?=#[^\s]+$)/, '')) // strip for ie7
+    var $target = $(document).find(selector)

Review Comment:
   ![high](https://www.gstatic.com/codereviewagent/high-priority.svg)
   
   If `selector` is falsy, calling `$(document).find(selector)` will throw a 
`SyntaxError`. We should guard against falsy values and return an empty jQuery 
collection instead.
   
   ```suggestion
       var selector = $this.attr('data-target') || (href && 
href.replace(/.*(?=#[^\s]+$)/, '')) // strip for ie7
       var $target = selector ? $(document).find(selector) : $()
   ```



##########
website/www/site/assets/js/bootstrap.js:
##########
@@ -1230,7 +1231,8 @@ if (typeof jQuery === 'undefined') {
   $(document).on('click.bs.modal.data-api', '[data-toggle="modal"]', function 
(e) {
     var $this   = $(this)
     var href    = $this.attr('href')
-    var $target = $($this.attr('data-target') || (href && 
href.replace(/.*(?=#[^\s]+$)/, ''))) // strip for ie7
+    var selector = $this.attr('data-target') || (href && 
href.replace(/.*(?=#[^\s]+$)/, '')) // strip for ie7
+    var $target = $(document).find(selector)

Review Comment:
   ![high](https://www.gstatic.com/codereviewagent/high-priority.svg)
   
   If `selector` is falsy, calling `$(document).find(selector)` will throw a 
`SyntaxError`. We should guard against falsy values and return an empty jQuery 
collection instead.
   
   ```suggestion
       var selector = $this.attr('data-target') || (href && 
href.replace(/.*(?=#[^\s]+$)/, '')) // strip for ie7
       var $target = selector ? $(document).find(selector) : $()
   ```



##########
website/www/site/assets/js/bootstrap/tooltip.js:
##########
@@ -302,11 +302,18 @@
       .css(isVertical ? 'top' : 'left', '')
   }
 
+  function sanitizeHtml(string) {
+    if (typeof DOMPurify !== 'undefined') {
+      return DOMPurify.sanitize(string)
+    }
+    return string
+  }
+
   Tooltip.prototype.setContent = function () {
     var $tip  = this.tip()
     var title = this.getTitle()
 
-    $tip.find('.tooltip-inner')[this.options.html ? 'html' : 'text'](title)
+    $tip.find('.tooltip-inner')[this.options.html ? 'html' : 
'text'](sanitizeHtml(title))

Review Comment:
   ![high](https://www.gstatic.com/codereviewagent/high-priority.svg)
   
   Sanitizing the tooltip title when `html` is `false` can cause unexpected 
regressions. For example, plain text tooltips containing characters like `<` or 
`>` (or custom tag-like text) might have their content stripped or corrupted by 
`DOMPurify`. Since jQuery's `.text()` method already safely escapes HTML 
characters, we should only apply `sanitizeHtml` when `this.options.html` is 
`true`.
   
   ```suggestion
       $tip.find('.tooltip-inner')[this.options.html ? 'html' : 
'text'](this.options.html ? sanitizeHtml(title) : title)
   ```



##########
website/www/site/assets/js/bootstrap.js:
##########
@@ -691,7 +692,7 @@ if (typeof jQuery === 'undefined') {
     var target = $trigger.attr('data-target')
       || (href = $trigger.attr('href')) && href.replace(/.*(?=#[^\s]+$)/, '') 
// strip for ie7
 
-    return $(target)
+    return $(document).find(target)

Review Comment:
   ![high](https://www.gstatic.com/codereviewagent/high-priority.svg)
   
   If `target` is falsy, calling `$(document).find(target)` will throw a 
`SyntaxError`. We should guard against falsy values and return an empty jQuery 
collection instead.
   
   ```suggestion
       return target ? $(document).find(target) : $()
   ```



##########
website/www/site/assets/js/bootstrap/collapse.js:
##########
@@ -159,7 +159,7 @@
     var target = $trigger.attr('data-target')
       || (href = $trigger.attr('href')) && href.replace(/.*(?=#[^\s]+$)/, '') 
// strip for ie7
 
-    return $(target)
+    return $(document).find(target)

Review Comment:
   ![high](https://www.gstatic.com/codereviewagent/high-priority.svg)
   
   If `target` is falsy, calling `$(document).find(target)` will throw a 
`SyntaxError`. We should guard against falsy values and return United jQuery 
collection instead.
   
   ```suggestion
       return target ? $(document).find(target) : $()
   ```



##########
website/www/site/assets/js/bootstrap/alert.js:
##########
@@ -31,7 +31,7 @@
       selector = selector && selector.replace(/.*(?=#[^\s]*$)/, '') // strip 
for ie7
     }
 
-    var $parent = $(selector)
+    var $parent = $(document).find(selector)

Review Comment:
   ![high](https://www.gstatic.com/codereviewagent/high-priority.svg)
   
   If `selector` is falsy, calling `$(document).find(selector)` will throw a 
`SyntaxError`. We should guard against falsy values and return an empty jQuery 
collection instead.
   
   ```suggestion
       var $parent = selector ? $(document).find(selector) : $()
   ```



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Re: [PR] address DOM text reinterpreted as HTML alert [beam]

Reply via email to