The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs	Skipped		May 26, 2026 9:23pm

PR Summary

Medium Risk
Security hardening on user-influenced transcript text before it is stored or displayed; scope is limited to the Zoom VTT parser with new regression tests.

Overview
Hardens Zoom WebVTT transcript parsing by replacing a single-pass tag strip with a loop that removes </?[^>]+> tags until the string stops changing, closing CodeQL “incomplete multi-character sanitization” bypasses where partial stripping could leave reconstructed markup (including in attendee-controlled speaker labels).

Exports parseVtt from zoom.ts only for tests (documented as non-public) and adds zoom.test.ts covering normal VTT behavior plus adversarial/nested tag inputs.

^{Reviewed by Cursor Bugbot for commit 79c057e. Configure here.}

Greptile Summary

This PR hardens the WebVTT transcript parser in the Zoom connector against a CodeQL "Incomplete multi-character sanitization" finding by replacing a single-pass tag-stripping regex with a do-while loop that re-strips until the string reaches a stable fixed point. Regression tests are added to cover the hardened path.

• zoom.ts: parseVtt now runs /<\/?[^>]+>/g iteratively until no match remains, preventing crafted inputs (e.g. <<b>b>text</<b>b>) from reconstructing a tag after one pass. The function is exported solely to enable the new tests.
• zoom.test.ts: 14 concurrent cases exercise both normal parsing (voice tags, karaoke timestamps, whitespace collapsing) and adversarial inputs (overlapping tags, nested script fragments, crafted speaker names, deeply-nested bracket sequences).

Confidence Score: 5/5

Safe to merge — the change is tightly scoped to a single pure function with no side effects, and the new tests verify both normal operation and the adversarial inputs the fix targets.

The do-while loop terminates correctly because each pass can only shorten or preserve the string, guaranteeing convergence. The regex [^>]+ uses a simple negated character class with no nested quantifiers, so there is no ReDoS exposure. Zoom display-name length limits bound nesting depth in practice, and the tests pin the behavior for future refactors.

No files require special attention.

Important Files Changed

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Raw cue text lines joined] --> B[Apply voice-tag regex\n replace v Speaker text /v → Speaker: text]
    B --> C[withoutTags = withSpeakers]
    C --> D{Loop iteration:\nprevious = withoutTags\nwithoutTags = strip tags}
    D --> E{withoutTags === previous?}
    E -- No, tags were found --> D
    E -- Yes, stable fixed-point --> F[Collapse whitespace + trim]
    F --> G{Non-empty?}
    G -- Yes --> H[Push to segments]
    G -- No --> I[Skip]

_{Reviews (2): Last reviewed commit: "test(zoom): cover iterative sanitization..." | Re-trigger Greptile}

@greptile

@cursor review