Skip to content

Sanitize titles for Unicode security and duplicate prefix prevention#14825

Merged
pelikhan merged 3 commits intomainfrom
copilot/sanitize-title-handling
Feb 10, 2026
Merged

Sanitize titles for Unicode security and duplicate prefix prevention#14825
pelikhan merged 3 commits intomainfrom
copilot/sanitize-title-handling

Conversation

Copy link
Contributor

Copilot AI commented Feb 10, 2026
edited
Loading

Titles in safe output handlers were vulnerable to Unicode-based attacks (bidirectional overrides, zero-width characters, fullwidth ASCII) and agent-generated duplicate prefixes.

Changes

  • New module sanitize_title.cjs

    • sanitizeTitle(title, titlePrefix) - Applies Unicode hardening via hardenUnicodeText() and strips duplicate prefix occurrences (handles separators: :, -, |)
    • applyTitlePrefix(sanitizedTitle, titlePrefix) - Safely applies prefix after sanitization

  • Unicode security hardening

    • NFC normalization, zero-width removal (U+200B-D, FEFF), bidi override removal (U+202A-E, 2066-9), fullwidth→ASCII (U+FF01-5E)

  • Integration

    • create_issue.cjs, create_discussion.cjs, create_pull_request.cjs - Sanitize then apply prefix
    • update_issue.cjs, update_discussion.cjs, update_pull_request.cjs - Sanitize only (no prefix handling)

Example

// Before: Vulnerable to Unicode attacks and duplicate prefixes
title = titlePrefix + message.title;

// After: Sanitized and deduplicated
title = sanitizeTitle(message.title, titlePrefix);  // Hardens Unicode, removes dupes
title = applyTitlePrefix(title, titlePrefix);        // Applies prefix safely

Prevents attacks like "[Agent]\u200B\u202A[Agent]\u202C Fix""[Agent] Fix" and ensures consistent, secure title handling across all entity types.

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI and others added 2 commits February 10, 2026 19:21
@pelikhan
Add title sanitization helper with comprehensive tests
411f5ba 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
Integrate title sanitization into create and update handlers
ebf91ed 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Add sanitization for issue and pull request titles Sanitize titles for Unicode security and duplicate prefix prevention Feb 10, 2026
Copilot AI requested a review from pelikhan February 10, 2026 19:28
@pelikhan pelikhan marked this pull request as ready for review February 10, 2026 19:34
Copilot AI review requested due to automatic review settings February 10, 2026 19:34
Copilot AI reviewed Feb 10, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR introduces Unicode security hardening and duplicate prefix prevention for titles in issue, discussion, and pull request handlers. It addresses vulnerabilities to Unicode-based attacks (bidirectional overrides, zero-width characters, fullwidth ASCII) and prevents agents from generating duplicate title prefixes.

Changes:

  • New sanitize_title.cjs module with sanitizeTitle() and applyTitlePrefix() functions
  • Integration of title sanitization in all create handlers (issues, discussions, PRs)
  • Integration of title sanitization in all update handlers (issues, discussions, PRs)
  • Comprehensive test suite covering Unicode attacks, prefix deduplication, and edge cases

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated no comments.

Show a summary per file
File Description
actions/setup/js/sanitize_title.cjs New module implementing Unicode hardening via hardenUnicodeText() and smart prefix removal with separator handling
actions/setup/js/sanitize_title.test.cjs Comprehensive test suite covering Unicode security, prefix deduplication, and integration scenarios
actions/setup/js/create_issue.cjs Integrates two-step sanitization: sanitizeTitle() to harden and deduplicate, then applyTitlePrefix() to safely apply prefix
actions/setup/js/create_discussion.cjs Same two-step sanitization pattern as create_issue.cjs
actions/setup/js/create_pull_request.cjs Same two-step sanitization pattern as create_issue.cjs
actions/setup/js/update_issue.cjs Applies sanitizeTitle() without prefix parameter (updates don't need prefix handling)
actions/setup/js/update_discussion.cjs Same update-only sanitization pattern as update_issue.cjs
actions/setup/js/update_pull_request.cjs Same update-only sanitization pattern as update_issue.cjs

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@pelikhan pelikhan merged commit 2fcef7a into main Feb 10, 2026
165 checks passed
@pelikhan pelikhan deleted the copilot/sanitize-title-handling branch February 10, 2026 19:40
@github-actions github-actions bot mentioned this pull request Feb 11, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pelikhan