Add wb-data-scrub.js from Engine branch

[Copilot]

Adds the wb-data-scrumb.js PlayCanvas script from commit 6993291.

Changes

• New file: scripts/utils/wb-data-scrumb.js - Data sanitization utility script

Usage

var scrubber = entity.script.wbDataScrumb;
var cleanData = scrubber.scrubData(dirtyData);

Configurable Options

• removeNullValues - Strip null/undefined values
• removeEmptyStrings - Strip empty strings
• trimStrings - Trim whitespace from strings
• removeEmptyArrays - Strip empty arrays
• sanitizeHtml - Strip HTML tags from strings
• maxDepth - Recursion depth limit (prevents infinite loops)

Original prompt

6993291

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

---

Summary by cubic

Sync copilot/update-branch-with-latest-commit with main to include recent changes. Adds scripts/utils/wb-data-scrub.js for data sanitization, a world clocks example, CodeQL scanning, a security policy, and small dependency bumps.

• New Features
  • scripts/utils/wb-data-scrub.js: trims and sanitizes data (removes null/empty values and arrays, optional HTML stripping, depth-limited recursion)
  • World clocks in examples: live multi-timezone clocks (New York, London, Tokyo, Local)

^{Written for commit 75df634. Summary will update automatically on new commits.}

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cubic-dev-ai]

2 issues found across 7 files

Prompt for AI agents (all 2 issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="SECURITY.md">

<violation number="1" location="SECURITY.md:10">
P2: Version numbers in the supported versions table (5.1.x, 5.0.x, 4.0.x) don&#39;t match the actual project version (2.14.0-beta.0). These appear to be placeholder values from a template. Update to reflect actual project versions to avoid confusing users about security support.</violation>
</file>

<file name="examples/src/static/index.html">

<violation number="1" location="examples/src/static/index.html:11">
P2: Tailwind&#39;s Play CDN (`cdn.tailwindcss.com`) is intended for development/prototyping only, not production use. Since this file is deployed to playcanvas.github.io, consider either:
1. Using a proper Tailwind build process with PostCSS
2. Using pre-built Tailwind CSS from a CDN like `https://cdn.jsdelivr.net/npm/tailwindcss@latest/dist/tailwind.min.css`
3. Writing plain CSS for this small widget</violation>
</file>

_{Reply to cubic to teach it or ask questions. Re-run a review with @cubic-dev-ai review this PR}

[cubic-dev-ai]

P2: Version numbers in the supported versions table (5.1.x, 5.0.x, 4.0.x) don't match the actual project version (2.14.0-beta.0). These appear to be placeholder values from a template. Update to reflect actual project versions to avoid confusing users about security support.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At SECURITY.md, line 10:

<comment>Version numbers in the supported versions table (5.1.x, 5.0.x, 4.0.x) don&#39;t match the actual project version (2.14.0-beta.0). These appear to be placeholder values from a template. Update to reflect actual project versions to avoid confusing users about security support.</comment>

<file context>
@@ -0,0 +1,21 @@
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 5.1.x   | :white_check_mark: |
+| 5.0.x   | :x:                |
+| 4.0.x   | :white_check_mark: |
</file context>

[Copilot]

Pull request overview

This PR adds a new data sanitization utility script (wb-data-scrub.js) from the Engine branch, along with supporting examples, security documentation, and dependency updates.

• Introduces a PlayCanvas script for scrubbing/sanitizing data objects with configurable options
• Adds a world clocks example demonstrating multi-timezone display functionality
• Sets up CodeQL scanning workflow and security policy documentation

Reviewed changes

Copilot reviewed 5 out of 7 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
scripts/utils/wb-data-scrub.js	New PlayCanvas script for data sanitization with configurable rules for removing null/empty values, trimming strings, and HTML sanitization
examples/src/static/scripts/main.js	World clocks feature displaying time across multiple timezones (New York, London, Tokyo, Local)
examples/src/static/index.html	HTML structure for world clocks widget with Tailwind CSS styling
.github/workflows/codeql.yml	CodeQL Advanced workflow for automated security scanning of JavaScript/TypeScript and GitHub Actions
SECURITY.md	Security policy template defining supported versions and vulnerability reporting process
package-lock.json	Dependency updates for glob (10.4.5 → 10.5.0) and js-yaml (4.1.0 → 4.1.1)
examples/package-lock.json	Dependency updates including serialize-javascript (6.0.1 → 6.0.2), js-yaml (4.1.0 → 4.1.1), and peer dependency markers

Files not reviewed (1)

• examples/package-lock.json: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The validate function only performs shallow validation and doesn't recursively validate nested objects or arrays according to the configured rules. For example, if removeNullValues is true and the data is an object containing null values in nested properties, this validation would pass even though scrubData would remove those values.

Suggested change

	// Check for null/undefined if they should be removed
	if (this.removeNullValues && (data === null || data === undefined)) {
	return false;
	}
	// Check for empty strings if they should be removed
	if (this.removeEmptyStrings && data === '') {
	return false;
	}
	// Check for empty arrays if they should be removed
	if (this.removeEmptyArrays && Array.isArray(data) && data.length === 0) {
	return false;
	}
	return true;
	var self = this;
	/**
	* Recursively validates a value according to the configured rules.
	* @param {*} value - The value to validate
	* @returns {boolean} True if the value (and any nested values) are valid
	*/
	function validateValue(value) {
	// Check for null/undefined if they should be removed
	if (self.removeNullValues && (value === null || value === undefined)) {
	return false;
	}
	// Check for empty strings if they should be removed
	if (self.removeEmptyStrings && value === '') {
	return false;
	}
	// Check for empty arrays if they should be removed
	if (self.removeEmptyArrays && Array.isArray(value) && value.length === 0) {
	return false;
	}
	// Recurse into arrays
	if (Array.isArray(value)) {
	for (var i = 0; i < value.length; i++) {
	if (!validateValue(value[i])) {
	return false;
	}
	}
	}
	// Recurse into plain objects
	else if (value && typeof value === 'object') {
	for (var key in value) {
	if (Object.prototype.hasOwnProperty.call(value, key)) {
	if (!validateValue(value[key])) {
	return false;
	}
	}
	}
	}
	return true;
	}
	return validateValue(data);

[Copilot]

The HTML sanitization using a simple regex /<[^>]*>/g is insufficient for security purposes. This regex doesn't handle HTML entities, script content within tags, event handlers, or encoded HTML. If this is intended for security sanitization, consider using a proper HTML sanitization library or documenting that this is only for basic tag stripping and not security purposes.

[Copilot]

The security policy contains placeholder/template text that should be customized for this project. The phrases 'Use this section to tell people about...' and 'Tell them where to go, how often they can expect...' should be replaced with actual project-specific instructions for reporting vulnerabilities and supported versions.

[Copilot]

The variable name in the example has a spelling inconsistency. The script is named 'wbDataScrumb' (with 'Scrumb') but should be 'wbDataScrub' (with 'Scrub') to match the actual script name defined on line 10.

[cubic-dev-ai]

1 issue found across 1 file (changes from recent commits).

Prompt for AI agents (all 1 issue)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="scripts/utils/wb-data-scrub.js">

<violation number="1" location="scripts/utils/wb-data-scrub.js:66">
P2: Documentation claims Date, RegExp, DOM nodes, and non-plain objects are &quot;returned as-is&quot;, but the implementation converts them to plain objects. Since `typeof` returns `&#39;object&#39;` for these types, they enter the object-handling branch which creates a new `{}` and copies only enumerable own properties, losing their prototype chain and methods. Either update the documentation to reflect actual behavior, or add explicit checks (e.g., `instanceof Date`, `instanceof RegExp`, `value.nodeType`) before the generic object handling to return these types unchanged.</violation>
</file>

_{Reply to cubic to teach it or ask questions. Re-run a review with @cubic-dev-ai review this PR}

[cubic-dev-ai]

P2: Documentation claims Date, RegExp, DOM nodes, and non-plain objects are "returned as-is", but the implementation converts them to plain objects. Since typeof returns 'object' for these types, they enter the object-handling branch which creates a new {} and copies only enumerable own properties, losing their prototype chain and methods. Either update the documentation to reflect actual behavior, or add explicit checks (e.g., instanceof Date, instanceof RegExp, value.nodeType) before the generic object handling to return these types unchanged.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At scripts/utils/wb-data-scrub.js, line 66:

<comment>Documentation claims Date, RegExp, DOM nodes, and non-plain objects are &quot;returned as-is&quot;, but the implementation converts them to plain objects. Since `typeof` returns `&#39;object&#39;` for these types, they enter the object-handling branch which creates a new `{}` and copies only enumerable own properties, losing their prototype chain and methods. Either update the documentation to reflect actual behavior, or add explicit checks (e.g., `instanceof Date`, `instanceof RegExp`, `value.nodeType`) before the generic object handling to return these types unchanged.</comment>

<file context>
@@ -59,10 +59,16 @@ WbDataScrumb.prototype.initialize = function () {
+ *
+ * Plain objects and arrays are traversed recursively and their primitive
+ * properties are scrubbed based on the configured options. Values such as
+ * functions, Date instances, RegExp objects, DOM nodes, and other non-plain
+ * objects are not modified and are returned as-is.
+ *
</file context>