Skip to content

test: Enforce markdown sanitization on every Notes render path#195

Merged
FrkAk merged 2 commits into
mainfrom
test/pyz-260-enforce-markdown-sanitization-on-every
Jul 7, 2026
Merged

test: Enforce markdown sanitization on every Notes render path#195
FrkAk merged 2 commits into
mainfrom
test/pyz-260-enforce-markdown-sanitization-on-every

Conversation

@FrkAk

@FrkAk FrkAk commented Jul 7, 2026

Copy link
Copy Markdown
Owner

Summary

Task Reference: [PYZ-260]

Verify and pin the Notes markdown-sanitization invariant so it cannot silently regress. Test-only: the sole production edits are two export keywords on already-defined sanitize schemas so tests import the real allowlist instead of duplicating a security-critical config. No render or behavior change; the repo-wide audit found no raw-HTML vector on any note render path (zero dangerouslySetInnerHTML / rehype-raw / allowDangerousHtml).

Tests run the real rehype-sanitize plugin against the real exported noteSchema / schema over constructed hast (render-free, no new deps), since the bun test harness cannot render app .tsx components. React-layer behaviors are pinned by source-level guards, matching the house pattern.

  • tests/ui/note-sanitize.test.ts: sanitizer boundary. <script> dropped; img keeps src, loses every on*; javascript:/data:/vbscript: hrefs stripped, https: kept; noteref-task/noteref-wiki keep only seq/title and drop injected href/onClick; data-src-line survives while sibling style/on* are stripped; the base shared schema is equally strict and rejects the note-only ref tags.
  • tests/ui/highlighter.test.ts: resolveLang canonical passthrough, alias map, case-insensitivity, unknown and injection-shaped langs return null; source guard that CodeBlock renders color-only spans and a plain pre/code fallback.
  • tests/ui/note-raw-html-guard.test.ts: build-failing scan over every note render-path file for raw-HTML vectors, plus single-sanitized-path and external-anchor target/rel structural guards.

Guard bite confirmed: injecting a raw-HTML vector on a note render-path file fails the guard.

Type of change

  • Bug fix
  • New feature
  • Refactor / cleanup
  • Documentation

Testing

  • Tested locally with bun run dev
  • Linting passes (bun run lint)
  • Typecheck passes (bun run typecheck)

bun test on the three new files: 31 pass, 0 fail. bun run format:check clean.

Notes for reviewer

The two exports (noteSchema in NoteMarkdown.tsx, schema in Markdown.tsx) are the minimal testability change; neither touches render logic or EditorPane (PYZ-301). Already-covered refs (remark-note-refs.test.ts, note-markdown.test.ts) are referenced, not duplicated.

Docs impact

none

@FrkAk FrkAk requested review from ZeyNor and ulascanzorer as code owners July 7, 2026 15:35
@FrkAk FrkAk merged commit df404a4 into main Jul 7, 2026
4 checks passed
@FrkAk FrkAk deleted the test/pyz-260-enforce-markdown-sanitization-on-every branch July 7, 2026 16:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant