From ce52b082a42c5247181151dd6c835ea4b595f0b6 Mon Sep 17 00:00:00 2001
From: CyberChen <chen0722.cc@gmail.com>
Date: Tue, 9 Jan 2024 17:00:27 +0800
Subject: [PATCH] update: sanitize HTML tag and new line breaks in desc

---
 cmd/format/sarif.go | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/cmd/format/sarif.go b/cmd/format/sarif.go
index 88de5a36..faa0f117 100644
--- a/cmd/format/sarif.go
+++ b/cmd/format/sarif.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"html"
 	"io"
+	"regexp"
 	"strings"
 
 	"github.com/xmirrorsecurity/opensca-cli/v3/cmd/detail"
@@ -154,8 +155,8 @@ func formatDesc(v *detail.VulnInfo) string {
 		{"| cnvd | %s |", v.Cnvd},
 		{"| cwe | %s |", v.Cwe},
 		{"| level | %s |", v.SecurityLevel()},
-		{"| desc | %s |", v.Description},
-		{"| suggestion | %s |", v.Suggestion},
+		{"| desc | %s |", sanitizeString(v.Description)},
+		{"| suggestion | %s |", sanitizeString(v.Suggestion)},
 	}
 	var lines []string
 	for _, line := range table {
@@ -168,9 +169,20 @@ func formatDesc(v *detail.VulnInfo) string {
 			lines = append(lines, fmt.Sprintf(line.fmt, line.val))
 		}
 	}
+
 	return html.EscapeString(strings.Join(lines, "\n"))
 }
 
+func sanitizeString(s string) string {
+	re := regexp.MustCompile("<[^>]*>")
+	s = re.ReplaceAllString(s, "")
+
+	s = strings.ReplaceAll(s, "\r", "")
+	s = strings.ReplaceAll(s, "\n", "")
+
+	return s
+}
+
 func formatTags(v *detail.VulnInfo) []string {
 	tags := []string{"security", "Use-Vulnerable-and-Outdated-Components", v.Cve, v.Cwe, v.AttackType, v.Language}
 	for i := 0; i < len(tags); {