Conversation
Summary of ChangesHello @inoray, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! 이 풀 리퀘스트는 Highlights
🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console. Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This PR improves how the HTML parser handles nested tables by storing previously skipped tables as raw HTML code items to prevent data loss. However, capturing the raw HTML string introduces a Cross-Site Scripting (XSS) risk, which is inconsistent with the backend's usual practice of stripping HTML tags to extract text content. It is recommended to extract text content safely to maintain security and consistency. Additionally, there is a suggestion regarding the charspan value of the generated ProvenanceItem.
| original_html = str(element) | ||
|
|
||
| # 코드 아이템으로 추가하여 HTML 형식 유지 | ||
| doc.add_code( | ||
| parent=self.parents[self.level], | ||
| text=original_html, |
There was a problem hiding this comment.
The use of str(element) to capture the raw HTML of a nested table and store it in a CodeItem introduces a potential Cross-Site Scripting (XSS) vulnerability. Unlike other handlers in this class that use .text or .get_text() to extract only the text content and strip HTML tags, this approach preserves all HTML tags, including potentially malicious ones like <script>, <iframe>, or event handlers (e.g., onerror). If the resulting document is exported and rendered in a web environment without proper sanitization, these scripts could be executed in the user's browser. To remediate this, you should extract only the text content or ensure the HTML is properly sanitized or escaped before being stored in the document model.
| original_html = str(element) | |
| # 코드 아이템으로 추가하여 HTML 형식 유지 | |
| doc.add_code( | |
| parent=self.parents[self.level], | |
| text=original_html, | |
| text_content = element.get_text(strip=True) | |
| # 코드 아이템으로 추가하여 HTML 형식 유지 | |
| doc.add_code( | |
| parent=self.parents[self.level], | |
| text=text_content, |
| prov=ProvenanceItem( | ||
| page_no=1, | ||
| bbox=BoundingBox(l=0, t=0, r=1, b=1), | ||
| charspan=(0, len(original_html)) |
There was a problem hiding this comment.
charspan을 (0, len(original_html))로 설정하셨는데, 이는 잠재적으로 부정확한 정보를 제공할 수 있습니다. charspan은 보통 원본 문서에서의 문자 위치를 나타냅니다. 하지만 str(element)로 생성된 HTML 문자열은 원본과 공백, 속성 순서 등에서 차이가 있을 수 있어 len(original_html)이 원본에서의 실제 길이와 다를 수 있습니다.
이 파일의 다른 부분에서는 charspan을 (0, 0)으로 설정하여 위치 정보를 알 수 없음을 나타내고 있습니다. 일관성을 유지하고 오해의 소지를 없애기 위해 여기에서도 charspan=(0, 0)으로 설정하는 것을 제안합니다.
| charspan=(0, len(original_html)) | |
| charspan=(0, 0) |
2 participants
Checklist: