Fix regex security hotspot in brand.html; deduplicate theme-toggle markup#25
Merged
Conversation
Contributor
 |
|
Overall Grade |
Security Reliability Complexity Hygiene |
Code Review Summary
| Analyzer | Status | Updated (UTC) | Details |
|---|---|---|---|
| Secrets |  |
Mar 20, 2026 5:28p.m. | Review ↗ |
| Shell | |
Mar 20, 2026 5:28p.m. | Review ↗ |
| JavaScript | |
Mar 20, 2026 5:28p.m. | Review ↗ |
…me-toggle markup - brand.html: change lazy quantifier [^&]*? to greedy [^&]* in highlightHtml regex; add comment noting input is machine-generated (not user input) so ReDoS is not a concern - theme.js: add injectThemeToggleButton() so the button is defined in one place; init() now injects it automatically when #themeToggle is absent - index.html, apply.html, donate.html, brand.html: remove 38-line duplicated theme-toggle <button> block from each file (replaced with a brief comment) Co-authored-by: kiyarose <75678535+kiyarose@users.noreply.github.com> Agent-Logs-Url: https://github.com/SillyLittleTech/lander/sessions/d607b3be-436a-4aac-9f9f-13f8be74a195
Deploying kvgrow with
|
| Latest commit: |
70f99c8
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://84d76411.kvgrow.pages.dev |
| Branch Preview URL: | https://copilot-fix-regex-security-h.kvgrow.pages.dev |
Copilot
AI
changed the title
[WIP] Fix security hotspots in brand.html and reduce code duplication
Fix regex security hotspot in brand.html; deduplicate theme-toggle markup
Mar 20, 2026
|
kiyarose
added
enhancement
kiyarose
approved these changes
Mar 20, 2026
kiyarose
added a commit
that referenced
this pull request
Mar 29, 2026
* donate: follow system theme instead of forcing dark mode (#21) * Initial plan * fix: follow system theme on donate page instead of forcing dark mode Co-authored-by: kiyarose <75678535+kiyarose@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * style: format code with Prettier and StandardJS This commit fixes the style issues introduced in 04d1db2 according to the output from Prettier and StandardJS. Details: #21 * fix: head script uses only system theme, no localStorage, on donate page Co-authored-by: kiyarose <75678535+kiyarose@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: kiyarose <75678535+kiyarose@users.noreply.github.com> Co-authored-by: Kiya Rose Ren-Miyakari <kiya.rose@sillylittle.tech> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Co-authored-by: deepsource-autofix[bot] <62050782+deepsource-autofix[bot]@users.noreply.github.com> * Switch primary font to Lexend and refine typography weights (#22) * Switch primary font to Lexend and keep footer in SLF Dreamer Co-authored-by: Kiya Rose Ren-Miyakari <kiya.rose@sillylittle.tech> * Increase button font weight and lighten Tech wordmark Co-authored-by: Kiya Rose Ren-Miyakari <kiya.rose@sillylittle.tech> * style: format code with Prettier and StandardJS This commit fixes the style issues introduced in 3e8c457 according to the output from Prettier and StandardJS. Details: #22 * Move Google Fonts to `<link>` preconnect and fix "Tech" wordmark font (#24) * Initial plan * perf: move Google Fonts to link preconnect and fix Tech wordmark font Co-authored-by: kiyarose <75678535+kiyarose@users.noreply.github.com> * docs: add comment to base.css noting Lexend must be loaded via link in HTML head Co-authored-by: kiyarose <75678535+kiyarose@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: kiyarose <75678535+kiyarose@users.noreply.github.com> Co-authored-by: Kiya Rose Ren-Miyakari <kiya.rose@sillylittle.tech> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: Cursor Agent <cursoragent@cursor.com> Co-authored-by: deepsource-autofix[bot] <62050782+deepsource-autofix[bot]@users.noreply.github.com> Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Fix regex security hotspot in brand.html; deduplicate theme-toggle markup (#25) * Initial plan * fix: address regex security hotspot in brand.html and deduplicate theme-toggle markup - brand.html: change lazy quantifier [^&]*? to greedy [^&]* in highlightHtml regex; add comment noting input is machine-generated (not user input) so ReDoS is not a concern - theme.js: add injectThemeToggleButton() so the button is defined in one place; init() now injects it automatically when #themeToggle is absent - index.html, apply.html, donate.html, brand.html: remove 38-line duplicated theme-toggle <button> block from each file (replaced with a brief comment) Co-authored-by: kiyarose <75678535+kiyarose@users.noreply.github.com> Agent-Logs-Url: https://github.com/SillyLittleTech/lander/sessions/d607b3be-436a-4aac-9f9f-13f8be74a195 --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: kiyarose <75678535+kiyarose@users.noreply.github.com> * Create dependabot.yml for version updates Add initial configuration for Dependabot updates. * Fix copy button hidden behind codebox on brand page (#29) * Initial plan * Fix: Move copy button inside codebox to fix visibility on brand page Co-authored-by: kiyarose <75678535+kiyarose@users.noreply.github.com> Agent-Logs-Url: https://github.com/SillyLittleTech/lander/sessions/95786c2e-8426-4962-9e32-0a5d8b95169d * Fix copy button: solid background, outside scroll container, clean up duplicate CSS rule Co-authored-by: kiyarose <75678535+kiyarose@users.noreply.github.com> Agent-Logs-Url: https://github.com/SillyLittleTech/lander/sessions/a3f820f0-13cd-462d-99b7-6f488c044450 --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: kiyarose <75678535+kiyarose@users.noreply.github.com> * Set package ecosystem to 'npm' in dependabot config * Fix FOUC on Contact Us page and resolve SonarCloud maintainability warnings (#31) * Initial plan * Fix: add anti-FOUC theme script to apply.html head Co-authored-by: kiyarose <75678535+kiyarose@users.noreply.github.com> Agent-Logs-Url: https://github.com/SillyLittleTech/lander/sessions/a98d089c-ab11-4c4b-a4fa-7650d3896cd8 * Fix SonarCloud empty catch block warning in anti-FOUC scripts Co-authored-by: kiyarose <75678535+kiyarose@users.noreply.github.com> Agent-Logs-Url: https://github.com/SillyLittleTech/lander/sessions/6f4b51b7-2269-4f71-ae73-973284fcaffc * Fix SonarCloud unused catch binding in anti-FOUC scripts (use optional catch binding) Co-authored-by: kiyarose <75678535+kiyarose@users.noreply.github.com> Agent-Logs-Url: https://github.com/SillyLittleTech/lander/sessions/a28f3a6f-996a-4016-8937-3b1ac822baa6 --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: kiyarose <75678535+kiyarose@users.noreply.github.com> * fix: resolve 53 SonarCloud code smells across 6 files (#27) * Initial plan * fix: resolve 53 SonarCloud code smells across brand.css, brand.html, donate.html, index.html, script.js, theme.js Co-authored-by: kiyarose <75678535+kiyarose@users.noreply.github.com> Agent-Logs-Url: https://github.com/SillyLittleTech/lander/sessions/c16e496a-1317-4d1b-8e22-e77d44847609 * Changes before error encountered Co-authored-by: kiyarose <75678535+kiyarose@users.noreply.github.com> Agent-Logs-Url: https://github.com/SillyLittleTech/lander/sessions/6ab0c607-d2b4-4328-b631-5e9ab7d8bab2 --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: kiyarose <75678535+kiyarose@users.noreply.github.com> * Add package.json listing all project dependencies (#32) Agent-Logs-Url: https://github.com/SillyLittleTech/lander/sessions/4be40485-ef5d-4df0-a8f7-ba0e3df5456a Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: kiyarose <75678535+kiyarose@users.noreply.github.com> * Create CNAME * Delete CNAME * Replace contributor links with Projects page; add floating contributor profile icons (#36) * Initial plan * Modernize links: add projects link, contributor profile icons Co-authored-by: kiyarose <75678535+kiyarose@users.noreply.github.com> Agent-Logs-Url: https://github.com/SillyLittleTech/lander/sessions/a574598b-7edf-4eb0-aa1e-5a759150361d * Move contributor icons to contributors.json, load dynamically Co-authored-by: kiyarose <75678535+kiyarose@users.noreply.github.com> Agent-Logs-Url: https://github.com/SillyLittleTech/lander/sessions/dfe39997-dff4-4df4-a515-5832beec1d91 * Move contributor icons above links in right section Agent-Logs-Url: https://github.com/SillyLittleTech/lander/sessions/c06585fb-4ad8-402f-bfbe-eb9b2a46e50c Co-authored-by: kiyarose <75678535+kiyarose@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: kiyarose <75678535+kiyarose@users.noreply.github.com> * enhance: better terminology on apply page (#37) Apply page now better serves as a versatile contact us page. The terminology on this page now better serves any possible reason for contact, and is welcoming to projects of all types. * Update redirects and apply page header (#38) * Update _redirects with new project links Added new redirects for various projects and contributions. * Update title and header for apply.html --------- Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Co-authored-by: deepsource-autofix[bot] <62050782+deepsource-autofix[bot]@users.noreply.github.com> Co-authored-by: Cursor Agent <cursoragent@cursor.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Two issues: a static-analysis ReDoS warning on a regex in
brand.html, and the theme-toggle<button>SVG block duplicated verbatim across all four HTML pages.Regex (
brand.html)highlightHtml()used a lazy quantifier[^&]*?that scanners flag for potential ReDoS. The regex only ever runs on the output ofmakeHtml()— bounded, machine-generated strings, never user input — so catastrophic backtracking is not a realistic concern. Changed to greedy[^&]*(correct and more idiomatic here) and added a comment making the input provenance explicit.Deduplicated theme-toggle markup
The 38-line
<button class="theme-toggle">block (inline sun/moon SVGs) was copy-pasted intoindex.html,apply.html,donate.html, andbrand.html. Moved totheme.jsasinjectThemeToggleButton(), called frominit()when#themeToggleis absent.theme.js— addsinjectThemeToggleButton();init()now injects the button if not already in the DOMdonate.html's override script (shake-instead-of-toggle behavior) is unaffected; it runs aftertheme.jsinjects the element and clones it as beforeNet: −157 lines of duplication across HTML, +40 lines in
theme.js.✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.