diff --git a/ui/src/ui/markdown.test.ts b/ui/src/ui/markdown.test.ts
index fee5e9c5d26..e387156b749 100644
--- a/ui/src/ui/markdown.test.ts
+++ b/ui/src/ui/markdown.test.ts
@@ -415,50 +415,35 @@ describe("toSanitizedMarkdownHtml", () => {
describe("security", () => {
it("blocks javascript: in links via DOMPurify", () => {
const html = toSanitizedMarkdownHtml("[click me](javascript:alert(1))");
- // DOMPurify strips dangerous href schemes but keeps the anchor text
- expect(html).not.toContain('href="javascript:');
- expect(html).toContain("click me");
+ expect(html).toBe("click me
\n");
});
it("shows alt text for javascript: images", () => {
const html = toSanitizedMarkdownHtml(")");
- expect(html).not.toContain("Build log\n");
});
it("shows alt text for vbscript: and file: images", () => {
const html1 = toSanitizedMarkdownHtml(")");
- expect(html1).toContain("Alt1");
- expect(html1).not.toContain("Alt1\n");
const html2 = toSanitizedMarkdownHtml("");
- expect(html2).toContain("Alt2");
- expect(html2).not.toContain("Alt2\n");
});
it("renders non-image data: URIs as inert links (marked.js compat)", () => {
const html = toSanitizedMarkdownHtml("[x](data:text/html,)");
- // marked.js generates for all URLs; DOMPurify strips dangerous href.
- // Result: anchor text visible but link is inert (no href or stripped href).
- expect(html).toContain(">x<");
- expect(html).not.toContain('href="data:text/html');
+ expect(html).toBe("x
\n");
});
it("does not auto-link bare file:// URIs", () => {
const html = toSanitizedMarkdownHtml("Check file:///etc/passwd");
- // Bare file:// without www. or http:// should NOT be auto-linked
- expect(html).not.toContain("Check file:///etc/passwd\n");
});
it("strips href from explicit file:// links via DOMPurify", () => {
const html = toSanitizedMarkdownHtml("[click](file:///etc/passwd)");
- // DOMPurify strips file: scheme, leaving anchor text
- expect(html).not.toContain('href="file:');
- expect(html).toContain("click");
+ expect(html).toBe("click
\n");
});
});