Potential fix for code scanning alert no. 40: Incomplete string escaping or encoding

[justlevine]

Potential fix for https://github.com/rtCamp/snapwp/security/code-scanning/40

Generally, to fix this type of issue you should avoid using String.prototype.replace with a plain string when you intend to remove or escape all or specific occurrences of a character. Instead, either use a global regular expression (/.../g) to operate on all occurrences, or use a structurally precise manipulation such as slicing off a known prefix/suffix or using a capturing regex that extracts just what you need.

For this specific function, we know classAttribute is a string like class="foo bar baz" due to the preceding regex. We can robustly extract the class names by either:

• Using another regex to capture only the content between the quotes, or
• Removing the known prefix class=" and then removing only the final trailing " via slice rather than a generic replace.

The minimal change, preserving all existing behavior, is:

1. Keep the classAttribute match as-is.
2. Replace the chained .replace( 'class="', '' ).replace( '"', '' ) with:
   • First remove the prefix using replace('class="', '') (which is safe because it should appear only at the start); and
   • Then remove only the last character (the trailing "), via .slice(0, -1).

This avoids incomplete string replacement, does not change any public API behavior, and does not require any imports or new helpers. All changes are within packages/core/src/utils/styles/get-class-names-from-string.ts.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[changeset-bot]

⚠️ No Changeset found

Latest commit: cb48f27

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[Copilot]

Pull request overview

This pull request addresses a security code scanning alert (CodeQL alert #40) about incomplete string escaping in the getClassNamesFromString utility function. The issue arises from using String.prototype.replace() with a plain string argument, which only replaces the first occurrence rather than all occurrences, potentially leaving special characters unescaped.

Changes:

• Replaced .replace( '"', '' ) with .slice( 0, -1 ) for removing the trailing quote from class attribute values
• This change provides structurally precise string manipulation since the regex guarantees the string ends with a quote character

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.