Skip to content

fix: harden input sanitization in utils.js (sanitizeNumeric, sanitizePercentage, createContentElement)#123

Merged
PDowney merged 3 commits intomasterfrom
copilot/fix-cleaned-string-issues
Mar 27, 2026
Merged

fix: harden input sanitization in utils.js (sanitizeNumeric, sanitizePercentage, createContentElement)#123
PDowney merged 3 commits intomasterfrom
copilot/fix-cleaned-string-issues

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Mar 25, 2026
edited
Loading

Three input sanitization bugs in the admin control panel utilities module that allowed malformed values through validation or could produce malformed DOM elements.

Software Version Updates

Changed Versions

No version changes — logic/bug fixes only.

Version Diff

// sanitizeNumeric: was
- const cleaned = String(input || "").replace(/[^\d.-]/g, "");
- return cleaned || fallback;
// now: anchored regex prevents multi-decimal/multi-minus inputs; returns validated number
+ const match = str.match(/^(-)?(\d+)?(?:\.(\d+))?/);
+ return String(parsed);

// sanitizePercentage: was
- return cleaned || fallback;
// now: validates structure before returning
+ const percentagePattern = /^\d+(\.\d+)?%?$/;
+ if (!cleaned || !percentagePattern.test(cleaned)) return fallback;

// createContentElement: was
- const { containerClass, iconClass, ... } = config; // no guard
// now: null-checks config and validates required class name strings
+ if (!config || typeof config !== "object") return null;
+ if (typeof containerClass !== "string" || containerClass.length === 0 ...) return null;

Verification Checklist

  • sanitizeNumeric — anchored regex replaces permissive /[^\d.-]/g; returns String(parsed) (validated number) instead of raw cleaned string
  • sanitizePercentage — post-clean regex validation rejects inputs like 1.2.3%%
  • createContentElement — null/type guard on config; required CSS class properties validated as non-empty strings; iconType defaults to "fa-info-circle"; messageText/timeText use ?? "" to avoid passing undefined to sanitizeInput
  • CHANGELOG.md updated

Notes

These are targeted correctness and defensive-coding fixes. No API surface changes; callers passing valid input are unaffected.

Original prompt 
Please apply the following diffs and create a pull request.
Once the PR is ready, give it a title based on the messages of the fixes being applied.

[{"message":"The method allows multiple decimal points and minus signs in the cleaned string (e.g., '1.2.3' or '1-2-3') which parseFloat will parse incorrectly. The regex /[^\\d.-]/g allows these invalid patterns. Additionally, line 36 returns 'cleaned' (the string) instead of 'parsed' (the validated number), causing inconsistency with the validation performed on lines 27-33. Replace line 36 with 'return String(parsed)' or refactor to ensure the returned value matches the validated numeric range.","fixFiles":[{"filePath":"config/var/www/admin/control-panel/modules/utils.js","diff":"diff --git a/config/var/www/admin/control-panel/modules/utils.js b/config/var/www/admin/control-panel/modules/utils.js\n--- a/config/var/www/admin/control-panel/modules/utils.js\n+++ b/config/var/www/admin/control-panel/modules/utils.js\n@@ -20,20 +20,37 @@\n   }\n \n   sanitizeNumeric(input, fallback = \"0\") {\n-    const cleaned = String(input || \"\").replace(/[^\\d.-]/g, \"\");\n-    const parsed = parseFloat(cleaned);\n-    \n+    const str = String(input ?? \"\").trim();\n+\n+    // Build a well-formed numeric string: optional leading '-', digits, optional '.' and more digits.\n+    const match = str.match(/^(-)?(\\d+)?(?:\\.(\\d+))?/);\n+    if (!match) {\n+      return fallback;\n+    }\n+\n+    const sign = match[1] || \"\";\n+    const intPart = match[2] || \"\";\n+    const fracPart = match[3] || \"\";\n+\n+    // Require at least one digit overall\n+    if (!intPart && !fracPart) {\n+      return fallback;\n+    }\n+\n+    const normalized = sign + (intPart || \"0\") + (fracPart ? \".\" + fracPart : \"\");\n+    const parsed = parseFloat(normalized);\n+\n     // Check if it's a valid number and within reasonable bounds\n     if (isNaN(parsed) || !isFinite(parsed)) {\n       return fallback;\n     }\n-    \n+\n     // Reasonable bounds for dashboard metrics\n     if (parsed < 0 || parsed > DashboardUtils.MAX_DASHBOARD_METRIC) {\n       return fallback;\n     }\n-    \n-    return cleaned || fallback;\n+\n+    return String(parsed);\n   }\n \n   sanitizePercentage(input, fallback = \"0%\") {\n"}]},{"message":"The regex allows multiple decimal points and percentage signs (e.g., '1.2.3%%' becomes '1.2.3%%'), which doesn't constitute a valid percentage. Consider validating that the result matches a proper percentage pattern (e.g., /^\\d+(\\.\\d+)?%?$/) before returning, or return the fallback if validation fails.","fixFiles":[{"filePath":"config/var/www/admin/control-panel/modules/utils.js","diff":"diff --git a/config/var/www/admin/control-panel/modules/utils.js b/config/var/www/admin/control-panel/modules/utils.js\n--- a/config/var/www/admin/control-panel/modules/utils.js\n+++ b/config/var/www/admin/control-panel/modules/utils.js\n@@ -38,7 +38,15 @@\n \n   sanitizePercentage(input, fallback = \"0%\") {\n     const cleaned = String(input || \"\").replace(/[^\\d.%]/g, \"\");\n-    return cleaned || fallback;\n+\n+    // Ensure the cleaned value is a syntactically valid percentage:\n+    // one or more digits, optional single decimal part, optional trailing '%'.\n+    const percentagePattern = /^\\d+(\\.\\d+)?%?$/;\n+    if (!cleaned || !percentagePattern.test(cleaned)) {\n+      return fallback;\n+    }\n+\n+    return cleaned;\n   }\n \n   sanitizeUrl(input, fallback = \"\") {\n"}]},{"message":"The method destructures all properties from config without validating their existence or types. If required properties are missing (e.g., containerClass, iconClass), the code will create elements with 'undefined' class names, leading to unexpected DOM structure. Add validation to ensure required properties exist, or provide sensible defaults for optional properties.","fixFiles":[{"filePath":"config/var/www/admin/control-panel/modules/utils.js","diff":"diff --git a/config/var/www/admin/control-panel/modules/utils.js b/config/var/www/admin/control-panel/modules/utils.js\n--- a/config/var/www/admin/control-panel/modules/utils.js\n+++ b/config/var/www/admin/control-panel/modules/utils.js\n@@ -105,8 +105,35 @@\n \n   // Helper method for creating content elements with icon, message, and time\n   createContentElement(config) {\n-    const { containerClass, iconClass, contentClass, messageText, timeText, timeClass, iconType } = config;\n+    // Basic validation to avoid undefined class names and malformed DOM\n+    if (!config || typeof config !== \"object\") {\n+      return null;\n+    }\n \n+    const {\n+      containerClass,\n+      iconClass,\n+      contentClass,\n+      messageText,\n+      timeText,\n+      timeClass,\n+      iconType = \"fa-info-circle\",\n+    } = config;\n+\n+    // Ensure required class names are non-empty strings\n+    if (\n+      typeof containerClass !== \"string\" ||\n+      containerClass.length === 0 ||\n+      typeof iconClass !== \"string...

⌨️ Start Copilot coding agent tasks without leaving your editor — available in VS Code, Visual Studio, JetBrains IDEs and Eclipse.

@PDowney
Fix input sanitization bugs in utils.js: sanitizeNumeric, sanitizePer…
1bd34ee 
…centage, createContentElement

Co-authored-by: PDowney <11467177+PDowney@users.noreply.github.com>
Agent-Logs-Url: https://github.com/EngineScript/EngineScript/sessions/ffb3c415-b0f0-4833-bf05-34e604c4f263
Copilot AI changed the title [WIP] Fix cleaned string parsing issues in utils.js fix: harden input sanitization in utils.js (sanitizeNumeric, sanitizePercentage, createContentElement) Mar 25, 2026
Copilot AI requested a review from PDowney March 25, 2026 20:46
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud bot commented Mar 25, 2026

Quality Gate Passed Quality Gate passed

Issues
2 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@PDowney PDowney marked this pull request as ready for review March 27, 2026 20:25
Copilot AI review requested due to automatic review settings March 27, 2026 20:25
@PDowney PDowney merged commit 61d56c6 into master Mar 27, 2026
10 checks passed
@github-actions github-actions bot deleted the copilot/fix-cleaned-string-issues branch March 27, 2026 20:28
Copilot AI reviewed Mar 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Hardens the admin control panel’s JavaScript utility sanitizers to prevent malformed numeric/percentage values and to avoid creating malformed DOM structures from invalid configuration objects.

Changes:

  • Refactors sanitizeNumeric to normalize and validate numeric input before returning.
  • Adds syntactic validation to sanitizePercentage after cleaning.
  • Adds defensive validation to createContentElement to avoid undefined/invalid class names and unsafe text inputs.

config/var/www/admin/control-panel/modules/utils.js
Comment on lines +26 to +35
const match = str.match(/^(-)?(\d+)?(?:\.(\d+))?/);
if (!match) {
return fallback;
}

const sign = match[1] || "";
const intPart = match[2] || "";
const fracPart = match[3] || "";

// Require at least one digit overall
Copy link

Copilot AI Mar 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sanitizeNumeric uses a regex that can match the empty string and is not anchored to the end. This means match is effectively never null (making the if (!match) branch dead) and inputs with trailing junk or extra decimals (e.g., "1.2.3", "12abc") will be partially parsed instead of rejected. Tighten the pattern to require a full-string numeric match (and include an end anchor) so malformed inputs correctly fall back.

Suggested change
const match = str.match(/^(-)?(\d+)?(?:\.(\d+))?/);
if (!match) {
return fallback;
}
const sign = match[1] || "";
const intPart = match[2] || "";
const fracPart = match[3] || "";
// Require at least one digit overall
// Require a full-string match so malformed inputs (e.g., "12abc", "1.2.3") fall back.
const match = str.match(/^(-)?(?:(\d+)(?:\.(\d+)?)?|\.(\d+))$/);
if (!match) {
return fallback;
}
const sign = match[1] || "";
let intPart = "";
let fracPart = "";
if (match[2] !== undefined) {
// Forms like "123", "123.", "123.45"
intPart = match[2] || "";
fracPart = match[3] || "";
} else {
// Forms like ".45"
intPart = "";
fracPart = match[4] || "";
}
// Require at least one digit overall (defensive, though regex already enforces this)

Copilot uses AI. Check for mistakes.
config/var/www/admin/control-panel/modules/utils.js
}

sanitizePercentage(input, fallback = "0%") {
const cleaned = String(input || "").replace(/[^\d.%]/g, "");
Copy link

Copilot AI Mar 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sanitizePercentage uses String(input || ""), which treats numeric 0 as falsy and sanitizes it as an empty string (returning the fallback). For consistency with sanitizeNumeric and to avoid incorrectly rejecting a valid 0 value, use nullish coalescing (input ?? "") when building the cleaned string.

Suggested change
const cleaned = String(input || "").replace(/[^\d.%]/g, "");
const cleaned = String(input ?? "").replace(/[^\d.%]/g, "");

Copilot uses AI. Check for mistakes.
config/var/www/admin/control-panel/modules/utils.js
Comment on lines +148 to +157
// Ensure required class names are non-empty strings
if (
typeof containerClass !== "string" ||
containerClass.length === 0 ||
typeof iconClass !== "string" ||
iconClass.length === 0 ||
typeof contentClass !== "string" ||
contentClass.length === 0 ||
typeof timeClass !== "string" ||
timeClass.length === 0
Copy link

Copilot AI Mar 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

createContentElement validates required class names using length === 0, but whitespace-only values (e.g., " ") will pass and still produce effectively classless / malformed elements. Consider trimming before checking emptiness (or checking .trim().length) so the guard actually prevents invalid class name inputs.

Suggested change
// Ensure required class names are non-empty strings
if (
typeof containerClass !== "string" ||
containerClass.length === 0 ||
typeof iconClass !== "string" ||
iconClass.length === 0 ||
typeof contentClass !== "string" ||
contentClass.length === 0 ||
typeof timeClass !== "string" ||
timeClass.length === 0
// Ensure required class names are non-empty, non-whitespace strings
if (
typeof containerClass !== "string" ||
containerClass.trim().length === 0 ||
typeof iconClass !== "string" ||
iconClass.trim().length === 0 ||
typeof contentClass !== "string" ||
contentClass.trim().length === 0 ||
typeof timeClass !== "string" ||
timeClass.trim().length === 0

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@PDowney PDowney Awaiting requested review from PDowney

Assignees

@PDowney PDowney

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@PDowney