Potential fix for code scanning alert no. 40: Improper code sanitization

[Tanker187]

Potential fix for https://github.com/Tanker187/vite/security/code-scanning/40

In general, to fix this type of issue you should avoid inserting potentially untrusted strings directly into dynamically constructed JavaScript code, even if they have been run through JSON.stringify. When the generated JavaScript might be embedded in HTML, additional escaping for characters like <, >, /, and Unicode line separators is recommended so content such as </script> or \u2028 cannot break the surrounding context.

For this file, the best minimal fix is to introduce a small helper (e.g. escapeUnsafeChars) that post-processes the JSON.stringify output and replaces a shortlist of problematic characters with safe escape sequences. We then apply this helper to the uses that CodeQL flags as tainted: the JSON.stringify(importPath) used inside the dynamic import(...) call and the JSON.stringify(importKey) used inside the property access in the .then(m => m[...]). This leaves the surrounding logic and behaviour intact but ensures that even if importPath or importKey contain characters like < or </script>, the generated JavaScript is safe to embed.

Concretely:

• Add a constant charMap and a function escapeUnsafeChars(str: string): string near the top of packages/vite/src/node/plugins/importMetaGlob.ts (after imports and before the interfaces).
• Change line 554 to construct importStatement using `import(${escapeUnsafeChars(JSON.stringify(importPath))})`.
• Change line 556 to use escapeUnsafeChars(JSON.stringify(importKey)) inside the computed member access: `.then(m => m[${escapeUnsafeChars(JSON.stringify(importKey))}])`.
  No new external dependencies are required; we can implement the helper using built-in JavaScript features.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.