Potential fix for code scanning alert no. 28: Incomplete string escaping or encoding

[dmetzner]

Potential fix for https://github.com/Catrobat/Catroweb/security/code-scanning/28

In general, to fix this issue you should avoid hand-rolled partial escaping when embedding arbitrary strings into query selectors, and instead either (a) avoid string concatenation by using attribute-aware DOM APIs, or (b) correctly escape all special characters, including backslashes, using a robust method.

The best fix here, without changing functionality, is to stop building the selector string with an interpolated attribute value and instead select the category element using querySelector with an attribute-only selector (assuming data-name values are known beforehand), or more robustly, use querySelectorAll and compare dataset.name in code. However, that would be a functional change. A minimal, targeted fix that preserves current behavior is to escape both backslashes and double quotes in file.category in the correct order: first escape backslashes (\ → \\), then escape double quotes (" → \"). This prevents existing backslashes from interfering with the escaping of quotes and ensures the resulting selector string is well-formed.

Concretely, in assets/MediaLibrary/MediaLib.js, around line 174, change:

const catEscaped = file.category.replace(/"/g, '\\"')

to something that first escapes backslashes globally, then escapes quotes globally, for example:

const catEscaped = file.category.replace(/\\/g, '\\\\').replace(/"/g, '\\"')

No new imports or external libraries are needed, and this keeps the logic and usage of catEscaped identical while fixing the incomplete escaping.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 50.01%. Comparing base (8ad5c7e) to head (4d9cebb).
⚠️ Report is 19 commits behind head on develop.

Additional details and impacted files

@@            Coverage Diff             @@
##             develop    #6140   +/-   ##
==========================================
  Coverage      50.00%   50.01%           
  Complexity      7481     7481           
==========================================
  Files            722      722           
  Lines          24100    24100           
==========================================
+ Hits           12052    12053    +1     
+ Misses         12048    12047    -1     

Flag	Coverage Δ
behat	47.70% <ø> (+<0.01%)	⬆️
phpunit	10.18% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.