From a88f8159318228027de6ebae8b09c31b7623855e Mon Sep 17 00:00:00 2001
From: Prathamesh Penshanwar <128643250+PRATHAM777P@users.noreply.github.com>
Date: Mon, 27 Apr 2026 23:46:02 +0530
Subject: [PATCH] Potential fix for code scanning alert no. 2: Incomplete
 multi-character sanitization

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 src/tools/fetch/web-fetch-utils.ts | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/src/tools/fetch/web-fetch-utils.ts b/src/tools/fetch/web-fetch-utils.ts
index 39448c1..7725c3b 100644
--- a/src/tools/fetch/web-fetch-utils.ts
+++ b/src/tools/fetch/web-fetch-utils.ts
@@ -32,13 +32,23 @@ function normalizeWhitespace(value: string): string {
     .trim();
 }
 
+function removeUnsafeBlocks(value: string): string {
+  let current = value;
+  let previous: string;
+  do {
+    previous = current;
+    current = current
+      .replace(/<script[\s\S]*?<\/script>/gi, "")
+      .replace(/<style[\s\S]*?<\/style>/gi, "")
+      .replace(/<noscript[\s\S]*?<\/noscript>/gi, "");
+  } while (current !== previous);
+  return current;
+}
+
 export function htmlToMarkdown(html: string): { text: string; title?: string } {
   const titleMatch = html.match(/<title[^>]*>([\s\S]*?)<\/title>/i);
   const title = titleMatch ? normalizeWhitespace(stripTags(titleMatch[1])) : undefined;
-  let text = html
-    .replace(/<script[\s\S]*?<\/script>/gi, "")
-    .replace(/<style[\s\S]*?<\/style>/gi, "")
-    .replace(/<noscript[\s\S]*?<\/noscript>/gi, "");
+  let text = removeUnsafeBlocks(html);
   text = text.replace(/<a\s+[^>]*href=["']([^"']+)["'][^>]*>([\s\S]*?)<\/a>/gi, (_, href, body) => {
     const label = normalizeWhitespace(stripTags(body));
     if (!label) {