fix: address code review and security review findings

vict0rsch · vict0rsch · commit b0e35c58ccc8 · 2026-04-13T12:11:50.000+02:00
Made-with: Cursor
diff --git a/src/background/background.js b/src/background/background.js
@@ -87,7 +87,9 @@ export function initBackground() {
     // Remove DOM-dependent setFaviconCode since it's not needed in service worker
 
     const fetchOpenReviewNoteJSON = async (url) => {
-        const id = url.match(/id=([\w-]+)/)[1];
+        const match = url.match(/id=([\w-]+)/);
+        if (!match) return;
+        const id = match[1];
         const api = `https://api.openreview.net/notes?id=${id}`;
         let response = await fetch(api);
         let json = await response.json();
@@ -101,7 +103,9 @@ export function initBackground() {
     };
 
     const fetchOpenReviewForumJSON = async (url) => {
-        const id = url.match(/id=([\w-]+)/)[1];
+        const match = url.match(/id=([\w-]+)/);
+        if (!match) return;
+        const id = match[1];
         const api = `https://api.openreview.net/notes?forum=${id}`;
         let response = await fetch(api);
         let json = await response.json();
diff --git a/src/content_scripts/content_script.js b/src/content_scripts/content_script.js
@@ -136,7 +136,6 @@ $.extend($.easing, {
     },
 });
 
-var PDF_TITLE_ITERS = 0;
 
 /**
  * Centralizes HTML svg codes
@@ -450,12 +449,13 @@ const contentScriptMain = async ({
             const paper = state.papers[id];
             const maxWait = 60 * 1000;
             const maxIters = 20;
-            while (PDF_TITLE_ITERS < maxIters) {
-                const waitTime = Math.min(maxWait, 250 * 2 ** PDF_TITLE_ITERS);
+            let pdfTitleIters = 0;
+            while (pdfTitleIters < maxIters) {
+                const waitTime = Math.min(maxWait, 250 * 2 ** pdfTitleIters);
                 await sleep(waitTime);
                 document.title = "";
                 document.title = paper.title;
-                PDF_TITLE_ITERS++;
+                pdfTitleIters++;
             }
         };
         makeTitle(id);
@@ -660,6 +660,7 @@ const huggingfacePapers = (paper, url) => {
     const abstractH2 = queryAll("h2").find((h) => h.innerText.trim() === "Abstract");
     if (!abstractH2) {
         log("Missing 'Abstract' h2 title on HuggingFace paper page.");
+        return;
     }
     const authorDiv = abstractH2.parentElement.previousElementSibling;
     log("Adding venue to HuggingFace paper page.");
diff --git a/src/options/options.js b/src/options/options.js
@@ -919,7 +919,7 @@ const setupSync = async () => {
 
     if (!ok) {
         if (error) {
-            setHTML("pat-feedback", "Invalid PAT" + "<br/><br/>" + error);
+            setHTML("pat-feedback", "Invalid PAT" + "<br/><br/>" + escapeHtml(String(error)));
         }
         hideId("pat-loader");
         await toggleSync({ hideAll: true });
@@ -944,7 +944,7 @@ const setupSync = async () => {
         const { ok, payload, error } = await getGist({ pat });
         if (!ok) {
             logError(error);
-            setHTML("pat-feedback", error.response.data.message);
+            setHTML("pat-feedback", escapeHtml(String(error.response.data.message)));
         } else {
             const { file, pat, gistId } = payload;
             log("Gist ID", gistId);
diff --git a/src/popup/js/templates.js b/src/popup/js/templates.js
@@ -21,7 +21,7 @@ export const getPaperInfoTable = (paper) => {
     if (paper.venue)
         tableData.push([
             "Publication",
-            `<strong>${paper.venue} ${paper.year}</strong>`,
+            `<strong>${escapeHtml(paper.venue)} ${escapeHtml(String(paper.year))}</strong>`,
         ]);
     return /*html*/ `
         <table class="paper-info-table">
diff --git a/src/shared/js/utils/parsers.js b/src/shared/js/utils/parsers.js
@@ -1928,14 +1928,10 @@ export const autoTagPaper = async (paper) => {
             let authorMatch = true;
             try {
                 if (at.title) {
-                    titleMatch = paper.title
-                        .toLowerCase()
-                        .includes(at.title.toLowerCase());
+                    titleMatch = new RegExp(at.title, "i").test(paper.title);
                 }
                 if (at.author) {
-                    authorMatch = paper.author
-                        .toLowerCase()
-                        .includes(at.author.toLowerCase());
+                    authorMatch = new RegExp(at.author, "i").test(paper.author);
                 }
             } catch (e) {
                 continue;
