add code scanning codeql and eslint workflows as well as fix formating

.eslintrc.js

@@ -9,7 +9,7 @@ module.exports = {
 		"ecmaVersion": 13,
 		"sourceType": "module"
 	},
-	"ignorePatterns": ["dist/*.js"],
+	"ignorePatterns": ["dist/*.js", "public/joystick.js", "public/textplus.js"],
 	"rules": {
 		"quotes": [
 			"error",

.github/workflows/codeql.yml

@@ -0,0 +1,82 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "main" ]
+  schedule:
+    - cron: '22 13 * * 2'
+
+jobs:
+  analyze:
+    name: Analyze
+    # Runner size impacts CodeQL analysis time. To learn more, please see:
+    #   - https://gh.io/recommended-hardware-resources-for-running-codeql
+    #   - https://gh.io/supported-runners-and-hardware-resources
+    #   - https://gh.io/using-larger-runners
+    # Consider using larger runners for possible analysis time improvements.
+    runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
+    timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'javascript-typescript' ]
+        # CodeQL supports [ 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift' ]
+        # Use only 'java-kotlin' to analyze code written in Java, Kotlin or both
+        # Use only 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both
+        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v2
+      with:
+        languages: ${{ matrix.language }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+
+        # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+        # queries: security-extended,security-and-quality
+
+
+    # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift).
+    # If this step fails, then you should remove it and run the build manually (see below)
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v2
+
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+
+    #   If the Autobuild fails above, remove it and uncomment the following three lines.
+    #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
+
+    # - run: |
+    #     echo "Run, Build Application using script"
+    #     ./location_of_script_within_repo/buildscript.sh
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v2
+      with:
+        category: "/language:${{matrix.language}}"

.github/workflows/eslint.yml

@@ -0,0 +1,50 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+# ESLint is a tool for identifying and reporting on patterns
+# found in ECMAScript/JavaScript code.
+# More details at https://github.com/eslint/eslint
+# and https://eslint.org
+
+name: ESLint
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "main" ]
+  schedule:
+    - cron: '42 9 * * 3'
+
+jobs:
+  eslint:
+    name: Run eslint scanning
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Install ESLint
+        run: |
+          npm install [email protected]
+          npm install @microsoft/[email protected]
+
+      - name: Run ESLint
+        run: npx eslint .
+          --config .eslintrc.js
+          --ext .js,.jsx,.ts,.tsx
+          --format @microsoft/eslint-formatter-sarif
+          --output-file eslint-results.sarif
+        continue-on-error: true
+
+      - name: Upload analysis results to GitHub
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: eslint-results.sarif
+          wait-for-processing: true

index.js

@@ -34,7 +34,7 @@ var ipInfo = require("ip-info-finder");
 
 var usewebhook = false;
 var useDb = process.env.DATABASE_URL ? true : false;
-const dbText = "Database not connected. Enable your database using this tutorial: https://iogames.forum/t/integrating-database-to-swordbattle-v1-code/13458"
+const dbText = "Database not connected. Enable your database using this tutorial: https://iogames.forum/t/integrating-database-to-swordbattle-v1-code/13458";
 console.log(useDb ? "Using database" : "Not using database");
 if(process.env.hasOwnProperty("WEBHOOK_URL")) usewebhook = true;
 

moderation.js

@@ -86,7 +86,7 @@
 
               if (module.exports.bannedIps.includes(ip))
               module.exports.bannedIps = module.exports.bannedIps.filter((b) => b != ip);
-              res.send("unbanned "+ip);
+              res.send("unbanned "+ip.replaceAll("<", "&lt;").replaceAll(">", "$gt;"));
             } else {
               res.send("idot");
             }

setup.js

@@ -1,6 +1,6 @@
-replit = false
+replit = false;
 if (process.env["REPLIT_DB_URL"]){
-	replit = true
+	replit = true;
 }
 const fs = require("fs");
 const {execSync} = require("child_process");
@@ -57,8 +57,8 @@ if(!process.env.hasOwnProperty("TOKEN") & !replit) {
 
 if(!process.env.hasOwnProperty("TOKEN") & replit){
 	console.log("👀 We're getting you set up.\n");
-	console.log("⚠️ You are using replit and therefore we can not use dotenv. please go to the secrets tab press open raw editor and paste content from env.json\n")
-	buf = Buffer.from(testenv)
+	console.log("⚠️ You are using replit and therefore we can not use dotenv. please go to the secrets tab press open raw editor and paste content from env.json\n");
+	buf = Buffer.from(testenv);
 	fs.writeFileSync("env.json", JSON.stringify(dotenv.parse(buf)));
 	fs.writeFileSync("config.json", defaultconfig);
 	console.log("⚒️ Installing dependencies... \n");

src/GameScene.js

@@ -1930,7 +1930,7 @@ class GameScene extends Phaser.Scene {
 						(coin?this.coin:this.chestOpen).play();
 					}
 					// eslint-disable-next-line semi
-					if(this.coins.find(coin => coin.id == coinId)) this.coins.find(coin => coin.id == coinId).state = {collected: true, collectedBy: playerId, time: 0}
+					if(this.coins.find(coin => coin.id == coinId)) this.coins.find(coin => coin.id == coinId).state = {collected: true, collectedBy: playerId, time: 0};
 					else if(this.chests.find(chest => chest.id == coinId)) {
 						var chest = this.chests.find(chest => chest.id == coinId);
 

src/TitleScene.js

@@ -179,35 +179,35 @@ try {
     this.featured = this.add.dom(0, this.canvas.height/3).createFromCache("featured").setOrigin(0).setScale(this.mobile ? 0 : 1);
     async function fetchData() {
       try {
-        const response = await fetch('/api/getfeaturedcontent');
+        const response = await fetch("/api/getfeaturedcontent");
         const data = await response.json();
         return data;
       } catch (error) {
-        console.error('Error fetching data:', error);
+        console.error("Error fetching data:", error);
         return [];
       }
     }
 
     // Function to render the featured items in the widget
     // Function to render the featured items in the widget
     function renderWidget(data) {
-      const featuredContentDiv = document.getElementById('featured-content');
-      featuredContentDiv.innerHTML = '';
+      const featuredContentDiv = document.getElementById("featured-content");
+      featuredContentDiv.innerHTML = "";
 
       data.forEach((item) => {
-        const itemDiv = document.createElement('div');
-        itemDiv.classList.add('featured-item');
+        const itemDiv = document.createElement("div");
+        itemDiv.classList.add("Featured-item");
 
-        const thumbnailImg = document.createElement('img');
-        thumbnailImg.src = item.source == "youtube" ? 'https://www.cdnlogo.com/logos/y/84/youtube.svg' : '/assets/images/sword.png';
+        const thumbnailImg = document.createElement("img");
+        thumbnailImg.src = item.source == "youtube" ? "https://www.cdnlogo.com/logos/y/84/youtube.svg" : "/assets/images/sword.png";
 
-        const contentDiv = document.createElement('div');
-        contentDiv.classList.add('featured-item-content');
+        const contentDiv = document.createElement("div");
+        contentDiv.classList.add("featured-item-content");
 
-        const titleH3 = document.createElement('h3');
+        const titleH3 = document.createElement("h3");
         titleH3.textContent = item.title;
 
-        const authorP = document.createElement('p');
+        const authorP = document.createElement("p");
         authorP.textContent = item.author;
         if(item.label) {
           authorP.innerHTML += ` - <span style="color: orange; font-weight: bold;">${item.label}</span>`;
@@ -220,8 +220,8 @@ try {
         itemDiv.appendChild(contentDiv);
 
         // Add an event listener to open the content link when clicked
-        itemDiv.addEventListener('click', () => {
-          window.open(item.link, '_blank');
+        itemDiv.addEventListener("click", () => {
+          window.open(item.link, "_blank");
         });
 
         featuredContentDiv.appendChild(itemDiv);
@@ -357,7 +357,7 @@ try {
         let debugMode = false;
         try {
           const urlParams = new URLSearchParams(window.location.search);
-          const ad = urlParams.get('debugAd');
+          const ad = urlParams.get("debugAd");
           if(ad) {
             debugMode = true;
           }
@@ -393,7 +393,7 @@ try {
                   let failed= false;
                   try {
                     const urlParams = new URLSearchParams(window.location.search);
-                    const ad = urlParams.get('debugAd');
+                    const ad = urlParams.get("debugAd");
                     if(ad) {
                       alert(evt+ " ad completed");
                     }
@@ -429,7 +429,7 @@ transform: translateX(-50%);
             // Check url query param
             try {
             const urlParams = new URLSearchParams(window.location.search);
-            const ad = urlParams.get('debugAd');
+            const ad = urlParams.get("debugAd");
             if(ad) {
               alert("Ad failed to load -- aiptag is undefined");
             }
@@ -965,7 +965,7 @@ document.getElementById("shopFrame").style.display = "none";
 
     // console.log(this.canvas.width + " " + this.canvas.height, this.canvas.width / this.canvas.height);
     this.featured.y = this.canvas.height/3;
-    this.featured.setScale(0.9)
+    this.featured.setScale(0.9);
     if(this.canvas.width < 1000 || this.canvas.height < 700 || this.mobile) {
       if(this.mobile) {
       this.featured.visible = false;

src/index.js

@@ -108,7 +108,7 @@ var gameScene = new GameScene((instantStart=false) => {
     titleScene.instantStart = instantStart;
     firstPlay = false;
 });
-console.log(Date.now()-lastAd, "lastAd")
+console.log(Date.now()-lastAd, "lastAd");
 var titleScene = new TitleScene(((Date.now() - lastAd > adDelay) && !firstPlay), (name, music, secret, adFailed = false) => {
     gameScene.name = name;
     gameScene.options = titleScene.options;
@@ -119,7 +119,7 @@ var titleScene = new TitleScene(((Date.now() - lastAd > adDelay) && !firstPlay),
     titleScene.scene.start("game");
     titleScene.showPromo = false;
     if(!adFailed) {
-    console.log(Date.now()-lastAd, "lastAd")
+    console.log(Date.now()-lastAd, "lastAd");
 
     if(( Date.now() - lastAd > adDelay)) {
         if(sva){
@@ -130,7 +130,7 @@ var titleScene = new TitleScene(((Date.now() - lastAd > adDelay) && !firstPlay),
     }
 }
 }else {
-    console.log("ad failed")
+    console.log("ad failed");
 }
 });