Strip HTML tags from a string.
Removes all HTML tags and trims whitespace.
Implemented as a single-pass character walker that tracks < / >
nesting depth rather than a regex. This avoids two CodeQL issues that
the old /<[^>]*>/g pattern had:
js/incomplete-multi-character-sanitization — adversarial inputs
like <scrip<script>t> would leak through a single regex pass.
js/polynomial-redos — <[^>]* could backtrack on long runs of <.
The walker counts every < as opening a tag region and every >
(while depth > 0) as closing one; characters are only emitted at
depth 0. Linear time, no backtracking, idempotent.
Strip HTML tags from a string. Removes all HTML tags and trims whitespace.
Implemented as a single-pass character walker that tracks
</>nesting depth rather than a regex. This avoids two CodeQL issues that the old/<[^>]*>/gpattern had:js/incomplete-multi-character-sanitization— adversarial inputs like<scrip<script>t>would leak through a single regex pass.js/polynomial-redos—<[^>]*could backtrack on long runs of<.The walker counts every
<as opening a tag region and every>(while depth > 0) as closing one; characters are only emitted at depth 0. Linear time, no backtracking, idempotent.