Address some CodeQL security concerns (#35572)

Although there is no real security problem

web_src/fomantic/build/components/api.js

@@ -1144,8 +1144,8 @@ $.api.settings = {
   },
 
   regExp  : {
-    required : /\{\$*[A-z0-9]+\}/g,
-    optional : /\{\/\$*[A-z0-9]+\}/g,
+    required : /\{\$*[_A-Za-z0-9]+\}/g, // GITEA-PATCH: use "_A-Za-z" instead of "A-z" for variable name matching
+    optional : /\{\/\$*[_A-Za-z0-9]+\}/g, // GITEA-PATCH: use "_A-Za-z" instead of "A-z" for variable name matching
   },
 
   className: {

web_src/fomantic/build/components/dropdown.js

@@ -66,7 +66,7 @@ $.fn.dropdown = function(parameters) {
         moduleNamespace = 'module-' + namespace,
 
         $module         = $(this),
-        $context        = $(settings.context),
+        $context        = (typeof settings.context === 'string') ? $(document).find(settings.context) : $(settings.context), // GITEA-PATCH: use "jQuery.find(selector)" instead of "jQuery(selector)"
         $text           = $module.find(selector.text),
         $search         = $module.find(selector.search),
         $sizer          = $module.find(selector.sizer),

web_src/fomantic/build/components/modal.js

@@ -64,7 +64,7 @@ $.fn.modal = function(parameters) {
         moduleNamespace = 'module-' + namespace,
 
         $module         = $(this),
-        $context        = $(settings.context),
+        $context        = (typeof settings.context === 'string') ? $(document).find(settings.context) : $(settings.context), // GITEA-PATCH: use "jQuery.find(selector)" instead of "jQuery(selector)"
         $close          = $module.find(selector.close),
 
         $allModals,

web_src/js/features/comp/EditorMarkdown.test.ts

@@ -26,13 +26,13 @@ test('textareaSplitLines', () => {
 test('markdownHandleIndention', () => {
   const testInput = (input: string, expected?: string) => {
     const inputPos = input.indexOf('|');
-    input = input.replace('|', '');
+    input = input.replaceAll('|', '');
     const ret = markdownHandleIndention({value: input, selStart: inputPos, selEnd: inputPos});
     if (expected === null) {
       expect(ret).toEqual({handled: false});
     } else {
       const expectedPos = expected.indexOf('|');
-      expected = expected.replace('|', '');
+      expected = expected.replaceAll('|', '');
       expect(ret).toEqual({
         handled: true,
         valueSelection: {value: expected, selStart: expectedPos, selEnd: expectedPos},

web_src/js/features/repo-issue.ts

@@ -333,7 +333,7 @@ export function initRepoPullRequestReview() {
     let ntr = tr.nextElementSibling;
     if (!ntr?.classList.contains('add-comment')) {
       ntr = createElementFromHTML(`
-        <tr class="add-comment" data-line-type="${lineType}">
+        <tr class="add-comment" data-line-type="${htmlEscape(lineType)}">
           ${isSplit ? `
             <td class="add-comment-left" colspan="4"></td>
             <td class="add-comment-right" colspan="4"></td>

web_src/js/modules/fomantic/base.ts

@@ -14,4 +14,7 @@ export function linkLabelAndInput(label: Element, input: Element) {
   }
 }
 
-export const fomanticQuery = $;
+export function fomanticQuery(s: string | Element | NodeListOf<Element>): ReturnType<typeof $> {
+  // intentionally make it only work for query selector, it isn't used for creating HTML elements (for safety)
+  return typeof s === 'string' ? $(document).find(s) : $(s);
+}

web_src/js/utils.ts

@@ -35,7 +35,12 @@ export function isDarkTheme(): boolean {
 
 /** strip <tags> from a string */
 export function stripTags(text: string): string {
-  return text.replace(/<[^>]*>?/g, '');
+  let prev = '';
+  while (prev !== text) {
+    prev = text;
+    text = text.replace(/<[^>]*>?/g, '');
+  }
+  return text;
 }
 
 export function parseIssueHref(href: string): IssuePathInfo {