LLM/moltbot
1
0
Fork 0
mirror of https://github.com/moltbot/moltbot.git synced 2026-05-13 15:47:28 +00:00
Code Issues Packages Projects Releases Wiki Activity

test: freeze unsafe markdown links

Browse Source
This commit is contained in:
Shakker
2026-05-12 18:35:40 +01:00
parent 4339a18657
commit 1611539b03
1 changed files with 7 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
ui/src/ui/markdown.test.ts
View File

@@ -415,50 +415,35 @@ describe("toSanitizedMarkdownHtml", () => {
describe("security", () => {
it("blocks javascript: in links via DOMPurify", () => {
const html = toSanitizedMarkdownHtml("[click me](javascript:alert(1))");
// DOMPurify strips dangerous href schemes but keeps the anchor text
expect(html).not.toContain('href="javascript:');
expect(html).toContain("click me");
expect(html).toBe("<p><a>click me</a></p>\n");
});
it("shows alt text for javascript: images", () => {
const html = toSanitizedMarkdownHtml("![Build log](javascript:alert(1))");
expect(html).not.toContain("<img");
expect(html).not.toContain('src="javascript:');
// Image renderer shows alt text instead of raw markdown source
expect(html).toContain("Build log");
expect(html).not.toContain("![Build log]");
expect(html).toBe("<p>Build log</p>\n");
});
it("shows alt text for vbscript: and file: images", () => {
const html1 = toSanitizedMarkdownHtml("![Alt1](vbscript:msgbox(1))");
expect(html1).toContain("Alt1");
expect(html1).not.toContain("<img");
expect(html1).toBe("<p>Alt1</p>\n");
const html2 = toSanitizedMarkdownHtml("![Alt2](file:///etc/passwd)");
expect(html2).toContain("Alt2");
expect(html2).not.toContain("<img");
expect(html2).toBe("<p>Alt2</p>\n");
});
it("renders non-image data: URIs as inert links (marked.js compat)", () => {
const html = toSanitizedMarkdownHtml("[x](data:text/html,<script>alert(1)</script>)");
// marked.js generates <a> for all URLs; DOMPurify strips dangerous href.
// Result: anchor text visible but link is inert (no href or stripped href).
expect(html).toContain(">x<");
expect(html).not.toContain('href="data:text/html');
expect(html).toBe("<p><a>x</a></p>\n");
});
it("does not auto-link bare file:// URIs", () => {
const html = toSanitizedMarkdownHtml("Check file:///etc/passwd");
// Bare file:// without www. or http:// should NOT be auto-linked
expect(html).not.toContain("<a");
expect(html).toContain("file:///etc/passwd");
expect(html).toBe("<p>Check file:///etc/passwd</p>\n");
});
it("strips href from explicit file:// links via DOMPurify", () => {
const html = toSanitizedMarkdownHtml("[click](file:///etc/passwd)");
// DOMPurify strips file: scheme, leaving anchor text
expect(html).not.toContain('href="file:');
expect(html).toContain("click");
expect(html).toBe("<p><a>click</a></p>\n");
});
});