From 6324a3a8081f28e26a2cb51ff4485bcf8a56bfe3 Mon Sep 17 00:00:00 2001
From: "Glenn R. Martin" <222487+grmartin@users.noreply.github.com>
Date: Tue, 10 Jun 2025 18:28:02 -0400
Subject: [PATCH] Trying to fix the script tag vulnerability

With code taken directly from CodeQL's manual.

https://codeql.github.com/codeql-query-help/javascript/js-incomplete-multi-character-sanitization/
---
 src/core/operations/ParseAITokens.mjs | 17 +++++------------
 1 file changed, 5 insertions(+), 12 deletions(-)

diff --git a/src/core/operations/ParseAITokens.mjs b/src/core/operations/ParseAITokens.mjs
index 06706fc0..170aec70 100644
--- a/src/core/operations/ParseAITokens.mjs
+++ b/src/core/operations/ParseAITokens.mjs
@@ -71,7 +71,7 @@ class ParseAITokens extends Operation {
 
         const encodedTokens = fns.encode(input); // IDs
 
-        let displayTokens = [];
+        let displayTokens;
         if (showIds) {
             displayTokens = encodedTokens.map((x)=> x.toString());
         } else {
@@ -134,18 +134,11 @@ class ParseAITokens extends Operation {
      */
     replaceSpacesOutsideTags(htmlString) {
         return htmlString
-            .replace(/<script/ig, "&lt;script")
-            .replace(/(&lt;script\b[^>]*>.*?<\/script>)|(<[^>]*?>)|(\s+)/gi, (match, scriptTag, htmlTag, spaces) => {
-                if (scriptTag) {
-                    // Sanitize the <script> tag by escaping it
-                    return scriptTag
-                        .replace(/</g, "&lt;")
-                        .replace(/>/g, "&gt;");
-                } else if (htmlTag) {
-                    // Leave other HTML tags unchanged
-                    return htmlTag;
+            .replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/ig, "")
+            .replace(/(<[^>]*?>)|(\s+)/g, function(match, tag, spaces) {
+                if (tag) {
+                    return tag;
                 } else if (spaces) {
-                    // Replace spaces outside tags
                     return "";
                 }
             })