Update CodeQL scanning to separate workflow and fix issues

.github/workflows/ci-validate-codeql.yml

@@ -0,0 +1,65 @@
+name: Validate CodeQL
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - master
+
+  pull_request:
+    branches:
+      - master
+
+  schedule:
+    - cron: 0 7 * * 3
+
+permissions:
+  security-events: write
+
+jobs:
+  cross-platform_cross-browser:
+    runs-on: ${{ matrix.os }}
+
+    strategy:
+      fail-fast: true
+      matrix:
+        os: [ubuntu-latest]
+
+    env:
+      PLAYWRIGHT_BROWSERS_PATH: 0
+
+    steps:
+      - name: Set git to use LF
+        if: ${{ matrix.os == 'windows-latest' }}
+        run: |
+          git config --global core.autocrlf false
+          git config --global core.eol lf
+
+      - name: Checkout Branch
+        uses: actions/checkout@v2
+
+      - if: ${{ github.event_name == 'pull_request' }}
+        run: |
+          git fetch --no-tags --prune --depth=1 origin +refs/heads/master:refs/remotes/origin/master
+
+      - name: Cache multiple paths
+        uses: actions/cache@v2
+        env:
+          cache-name: cache-node-modules
+        with:
+          path: ~/.npm
+          key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-build-${{ env.cache-name }}-
+            ${{ runner.os }}-build-
+            ${{ runner.os }}-
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: javascript-typescript
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:javascript-typescript"

.github/workflows/ci-validate-platforms.yml

@@ -1,6 +1,7 @@
 name: Validate Platforms/Browsers
 
 on:
+  workflow_dispatch:
   push:
     branches:
       - master
@@ -64,15 +65,4 @@ jobs:
           npx playwright install
 
       - name: Run tests in all Packages
-        if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }}
         run: npm run test
-
-      - name: Initialize CodeQL
-        if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }}
-        uses: github/codeql-action/init@v1
-        with:
-          languages: javascript, typescript
-
-      - name: Perform CodeQL Analysis
-        if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }}
-        uses: github/codeql-action/analyze@v1

change/@microsoft-fast-element-66c55455-9b64-4d8c-a517-be10925cfd1a.json

@@ -3,5 +3,5 @@
   "comment": "Adds support for FASTElement hydration",
   "packageName": "@microsoft/fast-element",
   "email": "171390049+prabhujayapal@users.noreply.github.com",
-  "dependentChangeType": "patch"
+  "dependentChangeType": "prerelease"
 }

change/@microsoft-fast-element-ed4fc460-a15b-4c5a-adab-36034f4f0c18.json

@@ -0,0 +1,7 @@
+{
+  "type": "prerelease",
+  "comment": "Fix CodeQL issues",
+  "packageName": "@microsoft/fast-element",
+  "email": "7559015+janechu@users.noreply.github.com",
+  "dependentChangeType": "prerelease"
+}

change/@microsoft-fast-router-8b07e1d4-0e01-4065-9377-aa36685a56ca.json

@@ -0,0 +1,7 @@
+{
+  "type": "prerelease",
+  "comment": "Fix CodeQL issues",
+  "packageName": "@microsoft/fast-router",
+  "email": "7559015+janechu@users.noreply.github.com",
+  "dependentChangeType": "prerelease"
+}

change/@microsoft-fast-ssr-f22b45fd-23fb-4386-82fa-72d59f744cd6.json

@@ -3,5 +3,5 @@
   "comment": "Adds support for FASTElement hydration",
   "packageName": "@microsoft/fast-ssr",
   "email": "171390049+prabhujayapal@users.noreply.github.com",
-  "dependentChangeType": "patch"
+  "dependentChangeType": "prerelease"
 }

packages/web-components/fast-element/src/components/hydration.ts

@@ -15,8 +15,8 @@ const bindingStartMarker = /fe-b\$\$start\$\$(\d+)\$\$(.+)\$\$fe-b/;
 const bindingEndMarker = /fe-b\$\$end\$\$(\d+)\$\$(.+)\$\$fe-b/;
 const repeatViewStartMarker = /fe-repeat\$\$start\$\$(\d+)\$\$fe-repeat/;
 const repeatViewEndMarker = /fe-repeat\$\$end\$\$(\d+)\$\$fe-repeat/;
-const elementBoundaryStartMarker = /fe-eb\$\$start\$\$(.+)\$\$fe-eb/;
-const elementBoundaryEndMarker = /fe-eb\$\$end\$\$(.+)\$\$fe-eb/;
+const elementBoundaryStartMarker = /^(?:.{0,1000})fe-eb\$\$start\$\$(.+?)\$\$fe-eb/;
+const elementBoundaryEndMarker = /fe-eb\$\$end\$\$(.{0,1000})\$\$fe-eb(?:.{0,1000})$/;
 
 function isComment(node: Node): node is Comment {
     return node && node.nodeType === Node.COMMENT_NODE;
@@ -54,7 +54,7 @@ export const HydrationMarkup = Object.freeze({
         return repeatViewEndMarker.test(content);
     },
     isElementBoundaryStartMarker(node: Node) {
-        return isComment(node) && elementBoundaryStartMarker.test(node.data);
+        return isComment(node) && elementBoundaryStartMarker.test(node.data.trim());
     },
     isElementBoundaryEndMarker(node: Node) {
         return isComment(node) && elementBoundaryEndMarker.test(node.data);
@@ -93,7 +93,7 @@ export const HydrationMarkup = Object.freeze({
      * Parses element Id from element boundary markers
      */
     parseElementBoundaryStartMarker(content: string): null | string {
-        return parseStringMarker(elementBoundaryStartMarker, content);
+        return parseStringMarker(elementBoundaryStartMarker, content.trim());
     },
     parseElementBoundaryEndMarker(content: string): null | string {
         return parseStringMarker(elementBoundaryEndMarker, content);

packages/web-components/fast-element/src/dom-policy.ts

@@ -77,7 +77,7 @@ function safeURL(
 ): DOMSink {
     return (target: Node, name: string, value: string, ...rest: any[]) => {
         if (isString(value)) {
-            value = value.replace("javascript:", "");
+            value = value.replace(/(javascript:|vbscript:|data:)/, "");
         }
 
         sink(target, name, value, ...rest);

packages/web-components/fast-router/src/query-string.ts

@@ -1,5 +1,5 @@
 const encode = encodeURIComponent;
-const encodeKey = (key: string) => encode(key).replace("%24", "$");
+const encodeKey = (key: string) => encode(key).replace(/%24/g, "$");
 
 function buildParam(key: string, value: any, traditional?: boolean): Array<string> {
     let result: string[] = [];
@@ -51,8 +51,12 @@ function processScalarParam(existedParam: any, value: string): any {
     return value;
 }
 
-function parseComplexParam(queryParams: Object, keys: string[], value: any): void {
-    let currentParams: any = queryParams;
+function parseComplexParam(
+    queryParams: Record<string, any>,
+    keys: string[],
+    value: any
+): void {
+    let currentParams: Record<string, any> = queryParams;
     const keysLastIndex = keys.length - 1;
 
     for (let j = 0; j <= keysLastIndex; j++) {
@@ -61,13 +65,14 @@ function parseComplexParam(queryParams: Object, keys: string[], value: any): voi
             // The value has to be an array or a false value
             // It can happen that the value is no array if the key was repeated with traditional style like `list=1&list[]=2`
             const prevValue =
-                !currentParams[key] || typeof currentParams[key] === "object"
-                    ? currentParams[key]
-                    : [currentParams[key]];
-            currentParams = currentParams[key] =
-                prevValue || (isNaN(keys[j + 1] as any) ? {} : []);
+                !currentParams.get(key) || typeof currentParams.get(key) === "object"
+                    ? currentParams.get(key)
+                    : [currentParams.get(key)];
+            currentParams.set(key, prevValue || (isNaN(keys[j + 1] as any) ? {} : []));
+            currentParams = currentParams.get(key);
         } else {
-            currentParams = currentParams[key] = value;
+            currentParams.set(key, value);
+            currentParams = currentParams.get(key);
         }
     }
 }