Potential fix for code scanning alert no. 42: DOM text reinterpreted as HTML

[thorsten]

Potential fix for https://github.com/thorsten/phpMyFAQ/security/code-scanning/42

In general, to fix this kind of issue you should avoid interpreting untrusted text as HTML. Instead of using DOMParser(..., 'text/html') or injecting into innerHTML to remove tags, use a text-based approach (e.g., regular expressions or a well-known sanitizer library) that treats the string as plain text and strips or escapes HTML markup without parsing it as DOM.

For this codebase, the simplest and safest fix is to change stripHtml in phpmyfaq/admin/assets/src/utils/flesch-reading-ease.ts so it no longer uses DOMParser. Instead, we can remove angle-bracket tag structures via a regular expression and decode a small set of HTML entities needed for readability calculations. This preserves the function’s purpose—deriving plain text from possibly-marked-up content—while eliminating the step where attacker-controlled input is reinterpreted as HTML.

Concretely:

• In stripHtml, replace:
  • const doc = new DOMParser().parseFromString(html, 'text/html');
  • return doc.body.textContent || '';
• With a purely string-based implementation, for example:
  • Strip tags with html.replace(/<[^>]*>/g, ' ')
  • Normalize whitespace
  • Optionally decode common entities ( , &, <, >, ", ') so the readability calculation operates on human-readable text.

No changes are needed in faqs.editor.ts or in any of the readability functions; they will continue to receive a string and work as before. We don’t need additional imports if we implement this with built-in string operations. This single change will address all alert variants, since the tainted flow only becomes problematic at the DOMParser sink.

---

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

Summary by CodeRabbit

• Refactor
  • Improved text processing efficiency for readability analysis calculations, with more robust handling of HTML content formatting.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between aaebb53 and c101558.

📒 Files selected for processing (1)

• phpmyfaq/admin/assets/src/utils/flesch-reading-ease.ts

---

📝 Walkthrough

Walkthrough

A utility function in the Flesch reading ease calculator is refactored to replace DOM-based HTML stripping with regex pattern matching and manual HTML entity decoding, eliminating DOM dependency while normalizing whitespace for text processing.

Changes

Cohort / File(s)	Summary
HTML Stripping Refactor phpmyfaq/admin/assets/src/utils/flesch-reading-ease.ts	Replaces DOMParser-based HTML tag removal with regex pattern <[^>]*>/g; adds entity decoding for &nbsp;, &lt;, &gt;, &quot;, &#39;, &amp; (with ampersand decoded last to prevent double-unescaping); includes early return for falsy input; normalizes consecutive whitespace.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 No DOM parser here, just regex and care,
HTML tags stripped with a pattern so fair,
Entities decoded in just the right way,
Plain text emerges, ready for the fray!

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the primary change: fixing a code scanning alert by removing DOM parsing of HTML input.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch alert-autofix-42

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@phpmyfaq/admin/assets/src/utils/flesch-reading-ease.ts`:
- Around line 58-64: The replace order causes double-unescaping (e.g.,
"&amp;lt;" → "<"); in the flesch-reading-ease code update the HTML-entity
decoding so the "&amp;" replacement runs last: locate the block that mutates the
variable text (the series of text = text.replace(... ) lines) and reorder them
so &nbsp;, &lt;, &gt;, &quot;, &#39; (and any other specific entity replaces)
happen before the &amp; replacement, leaving the text = text.replace(/&amp;/gi,
'&'); as the final replacement.

---

ℹ️ Review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between aaebb53 and c0e85fb.

📒 Files selected for processing (1)

• phpmyfaq/admin/assets/src/utils/flesch-reading-ease.ts

[Copilot]

@thorsten I've opened a new pull request, #4027, to work on those changes. Once the pull request is ready, I'll request review from you.