src: fix ReDoS and incomplete-sanitization CodeQL alerts (#5, #6, #12, #18, #19, #20, #21)

Closes 7 CodeQL alerts in library code, locally verified via codeql CLI before push.

Five polynomial-regex alerts (js/polynomial-redos):

- raw-text.ts:33 (#20)
- escape-attr-ampersands.ts:96 (#18)
- quote-unquoted-attribute-values.ts:139 (#19)
- quote-unquoted-boolean-attrs.ts:123 (#21)
- template/healer.ts:148 (#5)

The flagged pattern was '<tag>((?:\s[^>]*)?)>' — CodeQL flagged the optional
non-capture group with mixed character classes as polynomial-time. Rewritten
using a lookahead to enforce the whitespace-or-close-bracket boundary
without the suspicious shape:

  Before: /<(tag)((?:\s[^>]*)?)>/g
  After:  /<(tag)(?=[\s>])([^>]*)>/g

Both forms have identical match semantics: the whitespace separator before
attributes is preserved (e.g., '<scriptfoo>' is correctly NOT matched as a
script tag start), tag name capture and attribute capture work as before.
The lookahead-based shape passes CodeQL's analysis. 1,307 tests pass under
the new regex.

Two incomplete-string-escaping alerts (js/incomplete-sanitization):

- markdown/emitter.ts:235 (#12) — markdown table cell escaping previously only
  handled the '|' character. Newlines in cell content would silently break
  table structure; backslashes weren't escaped first, allowing input like '\\|'
  to be rendered as literal backslash-pipe rather than escaped pipe. Replaced
  inline .replace(/\|/g, '\\|') with new escapeMarkdownTableCell helper that
  escapes backslashes first, then pipes, and converts newlines to spaces.

- ods-reader/html-renderer.ts:77 (#6) — string.replace('"', ...) was being used
  to inject text-align:right after the opening '"' of an existing style
  attribute. CodeQL flagged the unanchored character replacement as potentially
  matching the wrong '"'. Anchored to /^style="/ for unambiguous match.

Pipeline: format:check, lint, build, test all pass. 1,307 tests, 28 suites.
Validator: still clean.

Local CodeQL CLI scan confirms 0 remaining alerts in src/. (2 alerts in
docs/tools/html-to-odt-local.html persist locally; this is a gitignored
fixture and will not affect GitHub's scan.)

Author: GitHubNewbie0

.gitignore

@@ -14,3 +14,7 @@ docs/tools/*-local.html
 
 # Generated by scripts/sync-version.js
 src/version.ts
+
+# CodeQL local analysis artifacts
+.codeql-db/
+codeql-results.sarif

src/html-normalizer/rules/escape-attr-ampersands.ts

@@ -1,4 +1,4 @@
-/**
+/**
  * Rule 7 of the Tier 1 normalizer: escape unescaped `&` in attribute values.
  *
  * HTML5 attribute values commonly contain unescaped `&` characters in URLs:
@@ -11,7 +11,7 @@
  * characters with `&`, leaving valid XML entities and numeric
  * character references untouched.
  *
- * Spec reference: WHATWG HTML Living Standard § 13.2.5.42 "Attribute
+ * Spec reference: WHATWG HTML Living Standard § 13.2.5.42 "Attribute
  * value (double-quoted) state" describes character reference handling
  * for ambiguous ampersands.
  *
@@ -26,7 +26,7 @@
  * first, then attribute-content rules, then text-content rules.
  */
 
-const TAG_PATTERN = /<([a-zA-Z][a-zA-Z0-9-]*)((?:\s[^>]*)?)>/g;
+const TAG_PATTERN = /<([a-zA-Z][a-zA-Z0-9-]*)(?=[\s>])([^>]*)>/g;
 const ATTR_PATTERN = /([a-zA-Z_:][a-zA-Z0-9_:.-]*)=(?:"([^"]*)"|'([^']*)')/g;
 const VALID_ENTITY = /&(?:amp|lt|gt|quot|apos|#[0-9]+|#x[0-9a-fA-F]+);/y;
 
@@ -50,11 +50,11 @@ function escapeValueAmpersands(value: string): string {
     // Found a `&`. Test whether it starts a valid entity reference.
     VALID_ENTITY.lastIndex = i;
     if (VALID_ENTITY.test(value)) {
-      // Valid entity — copy the whole match through
+      // Valid entity — copy the whole match through
       result += value.slice(i, VALID_ENTITY.lastIndex);
       i = VALID_ENTITY.lastIndex;
     } else {
-      // Lone `&` — escape it
+      // Lone `&` — escape it
       result += "&amp;";
       i++;
     }

src/html-normalizer/rules/quote-unquoted-attribute-values.ts

@@ -1,4 +1,4 @@
-/**
+/**
  * Rule 6 of the Tier 1 normalizer: quote unquoted attribute values.
  *
  * HTML5 allows attribute values to appear without quotes when the value
@@ -11,26 +11,26 @@
  * This rule scans every opening tag and rewrites unquoted values as
  * double-quoted: `<a href=page.html>` becomes `<a href="page.html">`.
  *
- * Spec reference: WHATWG HTML Living Standard § 13.1.2.3 "Attributes",
+ * Spec reference: WHATWG HTML Living Standard § 13.1.2.3 "Attributes",
  * Unquoted attribute value syntax.
  *
  * Scope: only attribute *values* are rewritten. Attribute names without
- * `=` (boolean attributes) are out of scope — Rule 5 handles those.
+ * `=` (boolean attributes) are out of scope — Rule 5 handles those.
  * Quoted values (single or double) pass through unchanged. The tag name
  * itself is never rewritten.
  *
  * Composition note: this rule should run alongside Rule 5
  * (quoteUnquotedBooleanAttributes). Order between Rules 5 and 6 doesn't
- * matter — they handle disjoint patterns. By convention this rule runs
+ * matter — they handle disjoint patterns. By convention this rule runs
  * after Rule 5 so the rule numbers parallel composition order.
  */
 
-const TAG_PATTERN = /<([a-zA-Z][a-zA-Z0-9-]*)((?:\s[^>]*)?)>/g;
+const TAG_PATTERN = /<([a-zA-Z][a-zA-Z0-9-]*)(?=[\s>])([^>]*)>/g;
 
 /**
  * Scan an attribute area and rewrite unquoted attribute values to
  * double-quoted form. Quoted values pass through unchanged. Boolean
- * attributes (no `=`) pass through unchanged — Rule 5 handles those.
+ * attributes (no `=`) pass through unchanged — Rule 5 handles those.
  */
 function rewriteAttrArea(attrArea: string): string {
   if (!attrArea.trim()) return attrArea;
@@ -50,7 +50,7 @@ function rewriteAttrArea(attrArea: string): string {
     // Try to match an attribute name
     const nameMatch = /^[a-zA-Z_:][a-zA-Z0-9_:.-]*/.exec(attrArea.slice(i));
     if (!nameMatch) {
-      // Not an attribute — copy and advance
+      // Not an attribute — copy and advance
       result += attrArea[i];
       i++;
       continue;
@@ -64,7 +64,7 @@ function rewriteAttrArea(attrArea: string): string {
     while (j < attrArea.length && /\s/.test(attrArea[j])) j++;
 
     if (j >= attrArea.length || attrArea[j] !== "=") {
-      // Boolean attribute (no =) — pass through, Rule 5 handles
+      // Boolean attribute (no =) — pass through, Rule 5 handles
       result += attrName;
       // Copy whitespace between name and end (or next attr)
       result += attrArea.slice(afterName, j);
@@ -83,7 +83,7 @@ function rewriteAttrArea(attrArea: string): string {
     while (j < attrArea.length && /\s/.test(attrArea[j])) j++;
 
     if (j >= attrArea.length) {
-      // Trailing = with no value — preserve as-is
+      // Trailing = with no value — preserve as-is
       result += attrArea.slice(afterEq);
       i = attrArea.length;
       continue;
@@ -93,19 +93,19 @@ function rewriteAttrArea(attrArea: string): string {
     result += attrArea.slice(afterEq, j);
 
     if (attrArea[j] === '"' || attrArea[j] === "'") {
-      // Quoted value — pass through entirely
+      // Quoted value — pass through entirely
       const quote = attrArea[j];
       const end = attrArea.indexOf(quote, j + 1);
       if (end === -1) {
-        // Malformed — copy rest as-is
+        // Malformed — copy rest as-is
         result += attrArea.slice(j);
         i = attrArea.length;
         continue;
       }
       result += attrArea.slice(j, end + 1);
       i = end + 1;
     } else {
-      // Unquoted value — read until whitespace, end, or self-closing /
+      // Unquoted value — read until whitespace, end, or self-closing /
       // (per HTML5 spec, unquoted values terminate at whitespace, >, or
       // when `/` is followed by `>` for self-closing tags). The lone `/`
       // inside URLs like https://example.com/x.html is part of the value.

src/html-normalizer/rules/quote-unquoted-boolean-attrs.ts

@@ -1,4 +1,4 @@
-/**
+/**
  * Rule 5 of the Tier 1 normalizer: quote unquoted boolean attributes.
  *
  * HTML5 defines a "boolean attribute" syntax that allows attribute names to
@@ -11,20 +11,20 @@
  * empty-string form: `<input checked>` becomes `<input checked="">`. The
  * empty string is the canonical XHTML serialization of a boolean attribute.
  *
- * Spec reference: WHATWG HTML Living Standard § 2.6.2 "Boolean attributes".
+ * Spec reference: WHATWG HTML Living Standard § 2.6.2 "Boolean attributes".
  *
  * Scope: only attribute names that appear without `=` are rewritten. Quoted
  * values pass through unchanged. The tag name itself (the first identifier
  * after `<`) is never rewritten. Self-closing markers (`/>`) are preserved.
  * Unquoted attribute values (e.g. `href=page`) are passed through verbatim
- * — Rule 6 handles those.
+ * — Rule 6 handles those.
  *
  * Composition note: this rule runs before Rule 1 (selfCloseVoidElements)
  * and Rule 2 (decodeNamedEntities) in the composite normalizer. The order
  * is structural-rules-first, content-rules-last.
  */
 
-const TAG_PATTERN = /<([a-zA-Z][a-zA-Z0-9-]*)((?:\s[^>]*)?)>/g;
+const TAG_PATTERN = /<([a-zA-Z][a-zA-Z0-9-]*)(?=[\s>])([^>]*)>/g;
 
 /**
  * Scan an attribute area and rewrite unquoted boolean attributes to
@@ -49,7 +49,7 @@ function rewriteAttrArea(attrArea: string): string {
     // Try to match an attribute name
     const nameMatch = /^[a-zA-Z_:][a-zA-Z0-9_:.-]*/.exec(attrArea.slice(i));
     if (!nameMatch) {
-      // Not an attribute — copy the character and advance
+      // Not an attribute — copy the character and advance
       result += attrArea[i];
       i++;
       continue;
@@ -63,7 +63,7 @@ function rewriteAttrArea(attrArea: string): string {
     while (j < attrArea.length && /\s/.test(attrArea[j])) j++;
 
     if (j < attrArea.length && attrArea[j] === "=") {
-      // Attribute with a value — pass through name, =, and the value
+      // Attribute with a value — pass through name, =, and the value
       result += attrName;
       // Copy whitespace between name and =
       result += attrArea.slice(afterName, j);
@@ -76,19 +76,19 @@ function rewriteAttrArea(attrArea: string): string {
         j++;
       }
       if (j < attrArea.length && (attrArea[j] === '"' || attrArea[j] === "'")) {
-        // Quoted value — copy through entirely
+        // Quoted value — copy through entirely
         const quote = attrArea[j];
         const end = attrArea.indexOf(quote, j + 1);
         if (end === -1) {
-          // Malformed — copy rest as-is
+          // Malformed — copy rest as-is
           result += attrArea.slice(j);
           i = attrArea.length;
           continue;
         }
         result += attrArea.slice(j, end + 1);
         i = end + 1;
       } else {
-        // Unquoted value — Rule 6 handles this. Copy the value through
+        // Unquoted value — Rule 6 handles this. Copy the value through
         // without modification and advance past it.
         let valEnd = j;
         while (valEnd < attrArea.length) {
@@ -101,7 +101,7 @@ function rewriteAttrArea(attrArea: string): string {
         i = valEnd;
       }
     } else {
-      // Boolean attribute — rewrite as name=""
+      // Boolean attribute — rewrite as name=""
       result += `${attrName}=""`;
       i = afterName;
     }

src/html-normalizer/rules/raw-text.ts

@@ -18,7 +18,7 @@
  * content. The composite order is enforced in src/html-normalizer/index.ts.
  */
 
-const RAW_TEXT_PATTERN = /<(script|style)((?:\s[^>]*)?)>[\s\S]*?<\/\1\s*>/g;
+const RAW_TEXT_PATTERN = /<(script|style)(?=[\s>])([^>]*)>[\s\S]*?<\/\1\s*>/g;
 
 /**
  * Empty the content of `<script>` and `<style>` elements while preserving

src/markdown/emitter.ts

@@ -1,22 +1,22 @@
-/**
+/**
  * Markdown emitter for the ODT document model.
  *
  * Converts the structured document model produced by the ODT parser into
- * a Markdown string. Zero runtime dependencies — the emitter is a pure
+ * a Markdown string. Zero runtime dependencies — the emitter is a pure
  * function over OdtDocumentModel.
  *
  * Structural coverage:
- *  - Headings levels 1–6 (# through ######)
+ *  - Headings levels 1–6 (# through ######)
  *  - Paragraphs with blank-line separation
  *  - Bold, italic, bold+italic, strikethrough (GFM)
- *  - Underline → <u>text</u> (HTML passthrough — valid in GFM)
- *  - Superscript → <sup>text</sup>, subscript → <sub>text</sub>
- *  - Hyperlinks → [text](url)
- *  - Hard line breaks → two trailing spaces + newline
+ *  - Underline → <u>text</u> (HTML passthrough — valid in GFM)
+ *  - Superscript → <sup>text</sup>, subscript → <sub>text</sub>
+ *  - Hyperlinks → [text](url)
+ *  - Hard line breaks → two trailing spaces + newline
  *  - Unordered and ordered lists with nested sub-lists
- *  - Tables → GFM pipe table with --- separator row
- *  - Images → ![alt](name) placeholder (base64 data not inlined)
- *  - Sections → body content only (no Markdown equivalent)
+ *  - Tables → GFM pipe table with --- separator row
+ *  - Images → ![alt](name) placeholder (base64 data not inlined)
+ *  - Sections → body content only (no Markdown equivalent)
  *  - Tracked changes: final (default), original, and changes modes
  *
  * Text content is escaped for Markdown. The following characters are
@@ -50,10 +50,10 @@ export interface MarkdownEmitOptions {
   /**
    * Markdown flavor to target.
    *
-   * "gfm" (default): GitHub Flavored Markdown — enables pipe tables and
+   * "gfm" (default): GitHub Flavored Markdown — enables pipe tables and
    *   ~~strikethrough~~. Compatible with GitHub, GitLab, and most modern
    *   Markdown renderers.
-   * "commonmark": CommonMark only — tables are omitted (cells emitted as
+   * "commonmark": CommonMark only — tables are omitted (cells emitted as
    *   plain paragraphs), strikethrough falls back to plain text.
    */
   flavor?: "commonmark" | "gfm";
@@ -63,13 +63,13 @@ export interface MarkdownEmitOptions {
    *
    * "final" (default): insertions rendered as body; deletions produce no output.
    * "original": deletions rendered as body; insertions produce no output.
-   * "changes": insertions → <ins>body</ins>, deletions → <del>body</del>.
+   * "changes": insertions → <ins>body</ins>, deletions → <del>body</del>.
    */
   trackedChanges?: "final" | "original" | "changes";
   /**
    * If true, images are embedded as base64 data URLs (`![alt](data:image/png;base64,...)`).
    * Produces a fully self-contained Markdown file at the cost of larger file size.
-   * Defaults to false — images are emitted as `![alt](name)` placeholders.
+   * Defaults to false — images are emitted as `![alt](name)` placeholders.
    */
   embedImages?: boolean;
 }
@@ -97,8 +97,8 @@ function escapeMd(text: string): string {
  * Emit a TextSpan to a Markdown string.
  *
  * Formatting nesting order (innermost first):
- * superscript/subscript → underline → strikethrough → italic → bold
- * → hyperlink anchor.
+ * superscript/subscript → underline → strikethrough → italic → bold
+ * → hyperlink anchor.
  */
 function emitTextSpan(span: TextSpan, options?: MarkdownEmitOptions): string {
   if (span.lineBreak) return "  \n";
@@ -132,7 +132,7 @@ function emitTextSpan(span: TextSpan, options?: MarkdownEmitOptions): string {
 /**
  * Emit an ImageNode as a Markdown image placeholder.
  *
- * By default, base64 image data is not inlined — the alt text and name are
+ * By default, base64 image data is not inlined — the alt text and name are
  * preserved as a placeholder so consumers can substitute with real paths.
  * Pass `{ embedImages: true }` to embed images as base64 data URLs instead.
  */
@@ -158,7 +158,7 @@ function emitNote(node: NoteNode, options?: MarkdownEmitOptions): string {
   return `^[${content.trim()}]`;
 }
 
-/** Emit a FieldNode — page number and page count get descriptive placeholders. */
+/** Emit a FieldNode — page number and page count get descriptive placeholders. */
 function emitField(node: FieldNode): string {
   if (node.fieldType === "pageNumber") return node.value ?? "[page]";
   if (node.fieldType === "pageCount") return node.value ?? "[pages]";
@@ -174,7 +174,7 @@ function emitInlineNode(node: InlineNode, options?: MarkdownEmitOptions): string
       case "note":
         return emitNote(node, options);
       case "bookmark":
-        // Bookmarks have no Markdown equivalent — emit nothing
+        // Bookmarks have no Markdown equivalent — emit nothing
         return "";
       case "field":
         return emitField(node);
@@ -219,11 +219,15 @@ function emitList(list: ListNode, options?: MarkdownEmitOptions, depth = 0): str
  * cells is inserted after it. Falls back to plain paragraph text per cell
  * when flavor is "commonmark".
  */
+function escapeMarkdownTableCell(s: string): string {
+  return s.replace(/\\/g, "\\\\").replace(/\|/g, "\\|").replace(/\n/g, " ");
+}
+
 function emitTable(table: TableNode, options?: MarkdownEmitOptions): string {
   if (table.rows.length === 0) return "";
 
   if (options?.flavor === "commonmark") {
-    // CommonMark has no table syntax — emit rows as plain text paragraphs
+    // CommonMark has no table syntax — emit rows as plain text paragraphs
     return table.rows
       .map((row) => row.cells.map((cell) => emitSpans(cell.spans, options)).join(" | "))
       .join("\n\n");
@@ -232,7 +236,7 @@ function emitTable(table: TableNode, options?: MarkdownEmitOptions): string {
   const rows = table.rows.map(
     (row) =>
       "| " +
-      row.cells.map((cell) => emitSpans(cell.spans, options).replace(/\|/g, "\\|")).join(" | ") +
+      row.cells.map((cell) => escapeMarkdownTableCell(emitSpans(cell.spans, options))).join(" | ") +
       " |",
   );
 
@@ -246,7 +250,7 @@ function emitTable(table: TableNode, options?: MarkdownEmitOptions): string {
 }
 
 /**
- * Emit a SectionNode — Markdown has no section construct.
+ * Emit a SectionNode — Markdown has no section construct.
  * Emits the body content directly.
  */
 function emitSection(node: SectionNode, options?: MarkdownEmitOptions): string {
@@ -256,7 +260,7 @@ function emitSection(node: SectionNode, options?: MarkdownEmitOptions): string {
 /**
  * Emit a TrackedChangeNode.
  *
- * "changes" mode: insertions → <ins>body</ins>, deletions → <del>body</del>.
+ * "changes" mode: insertions → <ins>body</ins>, deletions → <del>body</del>.
  * Other modes: body emitted transparently.
  */
 function emitTrackedChange(node: TrackedChangeNode, options?: MarkdownEmitOptions): string {