Added a CodeQL workflow to check for bugs through code analysis. Fixed numerous bugs and implemented safeguards as already reported.

src/core/Utils.mjs

@@ -705,7 +705,7 @@ class Utils {
      */
     static stripHtmlTags(htmlStr, removeScriptAndStyle=false) {
         if (removeScriptAndStyle) {
-            htmlStr = htmlStr.replace(/<(script|style)[^>]*>.*<\/(script|style)>/gmi, "");
+            htmlStr = htmlStr.replace(/<(script|style)[^>]*>.*?<\/(script|style)>/gi, "");
         }
         return htmlStr.replace(/<[^>]+>/g, "");
     }
@@ -729,11 +729,10 @@ class Utils {
             ">": "&gt;",
             '"': "&quot;",
             "'": "&#x27;", // &apos; not recommended because it's not in the HTML spec
-            "/": "&#x2F;", // forward slash is included as it helps end an HTML entity
             "`": "&#x60;"
         };
 
-        return str.replace(/[&<>"'/`]/g, function (match) {
+        return str.replace(/[&<>"'`]/g, function (match) {
             return HTML_CHARS[match];
         });
     }
@@ -879,7 +878,7 @@ class Utils {
         while ((m = recipeRegex.exec(recipe))) {
             // Translate strings in args back to double-quotes
             args = m[2]
-                .replace(/"/g, '\\"') // Escape double quotes
+                .replace(/"/g, '\\"') // Escape double quotes  lgtm [js/incomplete-sanitization]
                 .replace(/(^|,|{|:)'/g, '$1"') // Replace opening ' with "
                 .replace(/([^\\]|(?:\\\\)+)'(,|:|}|$)/g, '$1"$2') // Replace closing ' with "
                 .replace(/\\'/g, "'"); // Unescape single quotes