feat(posts): faithful (semantic) HTML rendering of post bodies
Phase 1 of milestone #64. The body is captured (Phase 0) but was shown as plain text. Now: - html_sanitize.py: widen the allowlist to a faithful-but-safe set — headings, inline images, lists, blockquote, hr, code/pre, figure, links (div/span stay stripped; their text is preserved). Benefits the existing ProvenancePanel too. - post_feed_service.get_post: add sanitized `description_html` to the DETAIL response (the feed list stays lightweight plain text by design). - PostCard.vue: render description_html via v-html once expanded (fetched with detail); collapsed + no-detail fallback stay plain text. Styled close to the source (headings, images max-width, accent links, lists, quotes, code). Tests: sanitizer (headings/img/lists survive, img javascript: src dropped); get_post returns sanitized description_html. Refs FC #830. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -36,3 +36,19 @@ def test_javascript_href_dropped():
|
||||
out = sanitize_post_html('<a href="javascript:alert(1)">x</a>')
|
||||
assert "javascript:" not in out
|
||||
assert "x" in out # text preserved, dangerous href removed
|
||||
|
||||
|
||||
def test_headings_lists_and_images_survive():
|
||||
out = sanitize_post_html(
|
||||
'<h2>Title</h2><p>x</p>'
|
||||
'<img src="https://cdn.test/a.jpg" alt="art" width="200">'
|
||||
'<ul><li>one</li></ul><blockquote>q</blockquote>'
|
||||
)
|
||||
assert "<h2>" in out
|
||||
assert '<img' in out and 'src="https://cdn.test/a.jpg"' in out and 'alt="art"' in out
|
||||
assert "<li>" in out and "<blockquote>" in out
|
||||
|
||||
|
||||
def test_image_javascript_src_dropped():
|
||||
out = sanitize_post_html('<img src="javascript:alert(1)" alt="x">')
|
||||
assert "javascript:" not in out
|
||||
|
||||
@@ -419,6 +419,24 @@ async def test_get_post_returns_full_description(db):
|
||||
assert len(item["description_full"]) > 280
|
||||
|
||||
|
||||
@pytest.mark.asyncio
|
||||
async def test_get_post_returns_sanitized_html_body(db):
|
||||
artist = await _seed_artist(db, "alice-html")
|
||||
src = await _seed_source(db, artist.id, "patreon", "https://p/alice-html")
|
||||
p = await _seed_post(
|
||||
db, src.id, external_id="HTMLBODY", post_date=datetime.now(UTC),
|
||||
description='<h2>Heading</h2><p>body</p><script>alert(1)</script>',
|
||||
)
|
||||
await db.commit()
|
||||
|
||||
item = await PostFeedService(db).get_post(p.id)
|
||||
# Detail carries the sanitized HTML body for faithful rendering; <script> is
|
||||
# stripped, semantic tags survive.
|
||||
assert item["description_html"] is not None
|
||||
assert "<h2>" in item["description_html"]
|
||||
assert "<script>" not in item["description_html"]
|
||||
|
||||
|
||||
@pytest.mark.asyncio
|
||||
async def test_get_post_unknown_returns_none(db):
|
||||
item = await PostFeedService(db).get_post(99999)
|
||||
|
||||
Reference in New Issue
Block a user