gemini-code-assist[bot] commented on code in PR #38949:
URL: https://github.com/apache/beam/pull/38949#discussion_r3420344808
##########
website/www/site/assets/js/bootstrap.js:
##########
@@ -502,7 +502,8 @@ if (typeof jQuery === 'undefined') {
var clickHandler = function (e) {
var href
var $this = $(this)
- var $target = $($this.attr('data-target') || (href = $this.attr('href'))
&& href.replace(/.*(?=#[^\s]+$)/, '')) // strip for ie7
+ var selector = $this.attr('data-target') || (href = $this.attr('href')) &&
href.replace(/.*(?=#[^\s]+$)/, '') // strip for ie7
+ var $target = selector ? $(document).find(selector) : $()
Review Comment:
If `selector` is an invalid selector (e.g., an external URL like
`https://example.com` or an arbitrary string containing special characters),
`$(document).find(selector)` will throw a jQuery syntax error (`Sizzle.error:
Unrecognized expression`). This can crash the JavaScript execution on the page
when a user clicks a link. To prevent this, we should wrap the query in a
`try/catch` block.
```suggestion
var $target
try {
$target = selector ? $(document).find(selector) : $()
} catch (e) {
$target = $()
}
```
##########
website/www/site/assets/js/bootstrap/tooltip.js:
##########
@@ -302,11 +302,18 @@
.css(isVertical ? 'top' : 'left', '')
}
+ function sanitizeHtml(string) {
+ if (typeof DOMPurify !== 'undefined' && typeof string === 'string') {
+ return DOMPurify.sanitize(string)
+ }
+ return string
+ }
Review Comment:
If `DOMPurify` is not loaded or fails to load, this function silently
returns the unsanitized string, leaving the application vulnerable to XSS. We
should fall back to a safe HTML escaping mechanism to ensure security by
default.
```suggestion
function sanitizeHtml(string) {
if (typeof DOMPurify !== 'undefined' && typeof string === 'string') {
return DOMPurify.sanitize(string)
}
if (typeof string === 'string') {
return string
.replace(/&/g, '&')
.replace(/</g, '<')
.replace(/>/g, '>')
.replace(/"/g, '"')
.replace(/'/g, ''')
}
return string
}
```
##########
website/www/site/assets/js/bootstrap.js:
##########
@@ -1230,7 +1231,8 @@ if (typeof jQuery === 'undefined') {
$(document).on('click.bs.modal.data-api', '[data-toggle="modal"]', function
(e) {
var $this = $(this)
var href = $this.attr('href')
- var $target = $($this.attr('data-target') || (href &&
href.replace(/.*(?=#[^\s]+$)/, ''))) // strip for ie7
+ var selector = $this.attr('data-target') || (href &&
href.replace(/.*(?=#[^\s]+$)/, '')) // strip for ie7
+ var $target = selector ? $(document).find(selector) : $()
Review Comment:
If `selector` is an invalid selector (e.g., an external URL like
`https://example.com` or an arbitrary string containing special characters),
`$(document).find(selector)` will throw a jQuery syntax error (`Sizzle.error:
Unrecognized expression`). This can crash the JavaScript execution on the page
when a user clicks a link. To prevent this, we should wrap the query in a
`try/catch` block.
```javascript
var $target
try {
$target = selector ? $(document).find(selector) : $()
} catch (e) {
$target = $()
}
```
##########
website/www/site/assets/js/bootstrap/carousel.js:
##########
@@ -208,7 +208,8 @@
var clickHandler = function (e) {
var href
var $this = $(this)
- var $target = $($this.attr('data-target') || (href = $this.attr('href'))
&& href.replace(/.*(?=#[^\s]+$)/, '')) // strip for ie7
+ var selector = $this.attr('data-target') || (href = $this.attr('href')) &&
href.replace(/.*(?=#[^\s]+$)/, '') // strip for ie7
+ var $target = selector ? $(document).find(selector) : $()
Review Comment:
If `selector` is an invalid selector (e.g., an external URL like
`https://example.com` or an arbitrary string containing special characters),
`$(document).find(selector)` will throw a jQuery syntax error (`Sizzle.error:
Unrecognized expression`). This can crash the JavaScript execution on the page
when a user clicks a link. To prevent this, we should wrap the query in a
`try/catch` block.
```suggestion
var $target
try {
$target = selector ? $(document).find(selector) : $()
} catch (e) {
$target = $()
}
```
##########
website/www/site/assets/js/bootstrap/modal.js:
##########
@@ -320,7 +320,8 @@
$(document).on('click.bs.modal.data-api', '[data-toggle="modal"]', function
(e) {
var $this = $(this)
var href = $this.attr('href')
- var $target = $($this.attr('data-target') || (href &&
href.replace(/.*(?=#[^\s]+$)/, ''))) // strip for ie7
+ var selector = $this.attr('data-target') || (href &&
href.replace(/.*(?=#[^\s]+$)/, '')) // strip for ie7
+ var $target = selector ? $(document).find(selector) : $()
Review Comment:
If `selector` is an invalid selector (e.g., an external URL like
`https://example.com` or an arbitrary string containing special characters),
`$(document).find(selector)` will throw a jQuery syntax error (`Sizzle.error:
Unrecognized expression`). This can crash the JavaScript execution on the page
when a user clicks a link. To prevent this, we should wrap the query in a
`try/catch` block.
```javascript
var $target
try {
$target = selector ? $(document).find(selector) : $()
} catch (e) {
$target = $()
}
```
##########
website/www/site/assets/js/bootstrap.js:
##########
@@ -109,7 +109,7 @@ if (typeof jQuery === 'undefined') {
selector = selector && selector.replace(/.*(?=#[^\s]*$)/, '') // strip
for ie7
}
- var $parent = $(selector)
+ var $parent = selector ? $(document).find(selector) : $()
Review Comment:
If `selector` is an invalid selector (e.g., an external URL like
`https://example.com` or an arbitrary string containing special characters),
`$(document).find(selector)` will throw a jQuery syntax error (`Sizzle.error:
Unrecognized expression`). This can crash the JavaScript execution on the page
when a user clicks a link. To prevent this, we should wrap the query in a
`try/catch` block.
```javascript
var $parent
try {
$parent = selector ? $(document).find(selector) : $()
} catch (e) {
$parent = $()
}
```
##########
website/www/site/assets/js/bootstrap.js:
##########
@@ -691,7 +692,7 @@ if (typeof jQuery === 'undefined') {
var target = $trigger.attr('data-target')
|| (href = $trigger.attr('href')) && href.replace(/.*(?=#[^\s]+$)/, '')
// strip for ie7
- return $(target)
+ return target ? $(document).find(target) : $()
Review Comment:
If `target` is an invalid selector (e.g., an external URL like
`https://example.com` or an arbitrary string containing special characters),
`$(document).find(target)` will throw a jQuery syntax error (`Sizzle.error:
Unrecognized expression`). This can crash the JavaScript execution on the page
when a user clicks a link. To prevent this, we should wrap the query in a
`try/catch` block.
```javascript
try {
return target ? $(document).find(target) : $()
} catch (e) {
return $()
}
```
##########
website/www/site/assets/js/bootstrap.js:
##########
@@ -773,7 +774,7 @@ if (typeof jQuery === 'undefined') {
selector = selector && /#[A-Za-z]/.test(selector) &&
selector.replace(/.*(?=#[^\s]*$)/, '') // strip for ie7
}
- var $parent = selector && $(selector)
+ var $parent = selector && $(document).find(selector)
Review Comment:
If `selector` is an invalid selector (e.g., an external URL like
`https://example.com` or an arbitrary string containing special characters),
`$(document).find(selector)` will throw a jQuery syntax error (`Sizzle.error:
Unrecognized expression`). This can crash the JavaScript execution on the page
when a user clicks a link. To prevent this, we should wrap the query in a
`try/catch` block.
```suggestion
var $parent
try {
$parent = selector && $(document).find(selector)
} catch (e) {
$parent = $()
}
```
##########
website/www/site/assets/js/bootstrap/alert.js:
##########
@@ -31,7 +31,7 @@
selector = selector && selector.replace(/.*(?=#[^\s]*$)/, '') // strip
for ie7
}
- var $parent = $(selector)
+ var $parent = selector ? $(document).find(selector) : $()
Review Comment:
If `selector` is an invalid selector (e.g., an external URL like
`https://example.com` or an arbitrary string containing special characters),
`$(document).find(selector)` will throw a jQuery syntax error (`Sizzle.error:
Unrecognized expression`). This can crash the JavaScript execution on the page
when a user clicks a link. To prevent this, we should wrap the query in a
`try/catch` block.
```javascript
var $parent
try {
$parent = selector ? $(document).find(selector) : $()
} catch (e) {
$parent = $()
}
```
##########
website/www/site/assets/js/bootstrap.js:
##########
@@ -1550,11 +1552,18 @@ if (typeof jQuery === 'undefined') {
.css(isVertical ? 'top' : 'left', '')
}
+ function sanitizeHtml(string) {
+ if (typeof DOMPurify !== 'undefined' && typeof string === 'string') {
+ return DOMPurify.sanitize(string)
+ }
+ return string
+ }
Review Comment:
If `DOMPurify` is not loaded or fails to load, this function silently
returns the unsanitized string, leaving the application vulnerable to XSS. We
should fall back to a safe HTML escaping mechanism to ensure security by
default.
```suggestion
function sanitizeHtml(string) {
if (typeof DOMPurify !== 'undefined' && typeof string === 'string') {
return DOMPurify.sanitize(string)
}
if (typeof string === 'string') {
return string
.replace(/&/g, '&')
.replace(/</g, '<')
.replace(/>/g, '>')
.replace(/"/g, '"')
.replace(/'/g, ''')
}
return string
}
```
##########
website/www/site/assets/js/bootstrap/collapse.js:
##########
@@ -159,7 +159,7 @@
var target = $trigger.attr('data-target')
|| (href = $trigger.attr('href')) && href.replace(/.*(?=#[^\s]+$)/, '')
// strip for ie7
- return $(target)
+ return target ? $(document).find(target) : $()
Review Comment:
If `target` is an invalid selector (e.g., an external URL like
`https://example.com` or an arbitrary string containing special characters),
`$(document).find(target)` will throw a jQuery syntax error (`Sizzle.error:
Unrecognized expression`). This can crash the JavaScript execution on the page
when a user clicks a link. To prevent this, we should wrap the query in a
`try/catch` block.
```javascript
try {
return target ? $(document).find(target) : $()
} catch (e) {
return $()
}
```
##########
website/www/site/assets/js/bootstrap/dropdown.js:
##########
@@ -29,7 +29,7 @@
selector = selector && /#[A-Za-z]/.test(selector) &&
selector.replace(/.*(?=#[^\s]*$)/, '') // strip for ie7
}
- var $parent = selector && $(selector)
+ var $parent = selector && $(document).find(selector)
Review Comment:
If `selector` is an invalid selector (e.g., an external URL like
`https://example.com` or an arbitrary string containing special characters),
`$(document).find(selector)` will throw a jQuery syntax error (`Sizzle.error:
Unrecognized expression`). This can crash the JavaScript execution on the page
when a user clicks a link. To prevent this, we should wrap the query in a
`try/catch` block.
```suggestion
var $parent
try {
$parent = selector && $(document).find(selector)
} catch (e) {
$parent = $()
}
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
