Harden protocol icon check logging against injection

- sanitize untrusted values before writing to stderr
- apply sanitization to missing protocol names and caught error messages
- keep current script behavior and exit codes unchanged

Author: easeev

scripts/check-protocol-icons.js

@@ -26,6 +26,12 @@ const protocolIconPath = path.join(
 
 const protocolMetadata = JSON.parse(fs.readFileSync(protocolMetadataPath, 'utf8'));
 
+const sanitizeForLog = (value) =>
+  String(value)
+    .replace(/[\r\n\t]/g, ' ')
+    .replace(/[^\x20-\x7E]/g, '')
+    .trim();
+
 const capitalizeFirstLetter = (value) => {
   if (!value) {
     return '';
@@ -134,7 +140,7 @@ const main = async () => {
   if (missingIconProtocols.length) {
     console.error('Protocol icons missing for currently visible protocols:');
     missingIconProtocols.forEach((protocolName) => {
-      console.error(`- ${protocolName}`);
+      console.error(`- ${sanitizeForLog(protocolName)}`);
     });
     process.exitCode = 1;
     return;
@@ -146,6 +152,7 @@ const main = async () => {
 };
 
 main().catch((error) => {
-  console.error(`Protocol icon check failed: ${error.message}`);
+  const safeErrorMessage = sanitizeForLog(error?.message || 'Unknown error');
+  console.error(`Protocol icon check failed: ${safeErrorMessage}`);
   process.exitCode = 1;
 });