Files
FabledCurator/tests/test_html_sanitize.py
bvandeusen 96c29c370b
CI / lint (push) Successful in 2s
CI / frontend-build (push) Successful in 22s
CI / backend-lint-and-test (push) Successful in 38s
CI / integration (push) Successful in 3m14s
feat(ingest): localize inline post-body images to local copies (Phase 2)
Render a post body faithfully by serving our stored copies of inline
images instead of hotlinking the public CDN. The join key is the CDN
filehash (32-hex MD5) shared between a body <img src> and the media URL
we downloaded (the same identity extract_media dedups by):

- utils.paths.filehash_from_url — one source of truth for the extractor;
  patreon_client._filehash now delegates so capture- and render-time
  hashing cannot drift.
- ImageRecord gains source_url (provenance) + source_filehash (indexed
  match key); migration 0051.
- the per-media sidecar carries the file's source_url; the importer
  persists it (NULL-only) on the ImageRecord via _apply_sidecar.
- post_feed_service.get_post remaps body <img src> -> /images/<path> for
  every inline image whose filehash maps to a stored image of THIS
  artist; unmatched / pre-Phase-2 images keep hotlinking.

Pre-existing on-disk images have no filehash yet, so they fall back to
hotlinking until re-downloaded; localization is forward-looking.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-14 16:39:58 -04:00

96 lines
3.1 KiB
Python

from backend.app.utils.html_sanitize import (
extract_img_srcs,
rewrite_img_srcs,
sanitize_post_html,
)
def test_none_and_blank_return_none():
assert sanitize_post_html(None) is None
assert sanitize_post_html("") is None
assert sanitize_post_html(" \n ") is None
def test_allowed_tags_survive():
out = sanitize_post_html("<p>hi <strong>there</strong><br><em>x</em></p>")
assert "<p>" in out and "<strong>" in out and "<br>" in out and "<em>" in out
def test_disallowed_tags_and_attrs_stripped_text_kept():
out = sanitize_post_html('<script>alert(1)</script><p onclick="x">body</p>')
assert "<script>" not in out
assert "alert(1)" not in out # clean_content removes script *content* too
assert "onclick" not in out
assert "body" in out
def test_div_stripped_but_text_preserved():
out = sanitize_post_html("<div><span>keep</span> me</div>")
assert "<div>" not in out and "<span>" not in out
assert "keep" in out and "me" in out
def test_links_get_rel_and_keep_http():
out = sanitize_post_html('<a href="https://example.com/p">link</a>')
assert 'href="https://example.com/p"' in out
assert 'rel="noopener noreferrer"' in out
def test_javascript_href_dropped():
out = sanitize_post_html('<a href="javascript:alert(1)">x</a>')
assert "javascript:" not in out
assert "x" in out # text preserved, dangerous href removed
def test_headings_lists_and_images_survive():
out = sanitize_post_html(
'<h2>Title</h2><p>x</p>'
'<img src="https://cdn.test/a.jpg" alt="art" width="200">'
'<ul><li>one</li></ul><blockquote>q</blockquote>'
)
assert "<h2>" in out
assert '<img' in out and 'src="https://cdn.test/a.jpg"' in out and 'alt="art"' in out
assert "<li>" in out and "<blockquote>" in out
def test_image_javascript_src_dropped():
out = sanitize_post_html('<img src="javascript:alert(1)" alt="x">')
assert "javascript:" not in out
# --- inline-image localization helpers (#830 Phase 2) ----------------------
def test_extract_img_srcs_in_order_deduped():
html = (
'<p>a</p><img src="https://cdn.test/1.jpg">'
'<img alt="x" src="https://cdn.test/2.jpg" width="10">'
'<img src="https://cdn.test/1.jpg">'
)
assert extract_img_srcs(html) == [
"https://cdn.test/1.jpg",
"https://cdn.test/2.jpg",
]
def test_extract_img_srcs_empty():
assert extract_img_srcs(None) == []
assert extract_img_srcs("<p>no images</p>") == []
def test_rewrite_img_srcs_swaps_only_mapped():
html = (
'<img src="https://cdn.test/1.jpg" alt="a">'
'<img src="https://cdn.test/2.jpg">'
)
out = rewrite_img_srcs(html, {"https://cdn.test/1.jpg": "/images/local/1.jpg"})
assert 'src="/images/local/1.jpg"' in out
assert 'alt="a"' in out # other attributes preserved
assert 'src="https://cdn.test/2.jpg"' in out # unmapped left alone
def test_rewrite_img_srcs_noop_on_empty():
html = '<img src="https://cdn.test/1.jpg">'
assert rewrite_img_srcs(html, {}) == html
assert rewrite_img_srcs(None, {"a": "b"}) is None