From a7607ea628ca729671b734b255fe407be4620437 Mon Sep 17 00:00:00 2001
From: Peter Downey <peterdowney@visistruct.com>
Date: Fri, 4 Jul 2025 02:25:42 -0400
Subject: [PATCH] Potential fix for code scanning alert no. 14: Incomplete
 multi-character sanitization

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 .../var/www/admin/control-panel/dashboard.js  | 22 +++++++++++--------
 1 file changed, 13 insertions(+), 9 deletions(-)

diff --git a/config/var/www/admin/control-panel/dashboard.js b/config/var/www/admin/control-panel/dashboard.js
index 85c05e59..18e1949c 100644
--- a/config/var/www/admin/control-panel/dashboard.js
+++ b/config/var/www/admin/control-panel/dashboard.js
@@ -893,15 +893,19 @@ class EngineScriptDashboard {
         
         // For logs, we allow more characters but still remove dangerous patterns
         // Keep line breaks and basic formatting for readability but remove XSS vectors
-        return input
-            .replace(/\0/g, '') // Remove null bytes first
-            .replace(/[<>&"'`]/g, '') // Remove HTML/XML special characters that could break out of attributes
-            .replace(/javascript:/gi, '') // Remove javascript: protocol
-            .replace(/data:/gi, '') // Remove data: protocol
-            .replace(/vbscript:/gi, '') // Remove vbscript: protocol
-            .replace(/on\w+=/gi, '') // Remove event handlers
-            .replace(/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/g, '') // Remove control chars but keep \t, \n, \r
-            .substring(0, 50000); // Reasonable log size limit
+        let previous;
+        do {
+            previous = input;
+            input = input
+                .replace(/\0/g, '') // Remove null bytes first
+                .replace(/[<>&"'`]/g, '') // Remove HTML/XML special characters that could break out of attributes
+                .replace(/javascript:/gi, '') // Remove javascript: protocol
+                .replace(/data:/gi, '') // Remove data: protocol
+                .replace(/vbscript:/gi, '') // Remove vbscript: protocol
+                .replace(/on\w+=/gi, '') // Remove event handlers
+                .replace(/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/g, ''); // Remove control chars but keep \t, \n, \r
+        } while (input !== previous);
+        return input.substring(0, 50000); // Reasonable log size limit
     }
     
     setTextContent(elementId, content) {