Skip to content

[Fix] Theme boot script embeds storage key without script-context escaping#467

Merged
mrubens merged 1 commit into
developfrom
fix/theme-boot-js-code-sanitization-2sotwqoqx3o7z
Jul 17, 2026
Merged

[Fix] Theme boot script embeds storage key without script-context escaping#467
mrubens merged 1 commit into
developfrom
fix/theme-boot-js-code-sanitization-2sotwqoqx3o7z

Conversation

@roomote-roomote

Copy link
Copy Markdown
Contributor

Created by Roomote. Follow up by mentioning @roomote-roomote or in the web UI.

What changed

The theme FOUC boot script now applies extra Unicode escapes after JSON.stringify when embedding the personal theme storage key into the generated inline JavaScript. Unit tests cover script-breakout character escaping and that the embedded key still decodes to the intended localStorage key.

Why this change was made

CodeQL alert #67 (js/bad-code-sanitization) flags that JSON.stringify alone does not protect values interpolated into constructed JavaScript, especially against characters that can break out of an HTML/script embedding context. Hardening the embedding path closes the finding without relying on the storage key remaining a benign constant forever.

Impact

No intended user-facing theme behavior change for light, dark, or system preferences. The change is security hardening on the web theme boot embedding path and should clear the open improper code sanitization finding once CodeQL rescans.

Apply CodeQL-recommended post-JSON.stringify escapes so the inline FOUC
theme boot script cannot break out of a JavaScript/HTML script context.
@roomote-roomote

roomote-roomote Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor Author

No code issues found. See task

Reviewed a4c3ac9

@mrubens
mrubens marked this pull request as ready for review July 17, 2026 04:16
@mrubens
mrubens merged commit 965bea1 into develop Jul 17, 2026
16 checks passed
@mrubens
mrubens deleted the fix/theme-boot-js-code-sanitization-2sotwqoqx3o7z branch July 17, 2026 04:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants