Files
FabledCurator/tests/test_html_sanitize.py
T
bvandeusen c342c73a25
CI / lint (push) Successful in 2s
CI / frontend-build (push) Successful in 18s
CI / backend-lint-and-test (push) Successful in 27s
CI / integration (push) Successful in 3m20s
feat(posts): faithful (semantic) HTML rendering of post bodies
Phase 1 of milestone #64. The body is captured (Phase 0) but was shown as
plain text. Now:
- html_sanitize.py: widen the allowlist to a faithful-but-safe set — headings,
  inline images, lists, blockquote, hr, code/pre, figure, links (div/span stay
  stripped; their text is preserved). Benefits the existing ProvenancePanel too.
- post_feed_service.get_post: add sanitized `description_html` to the DETAIL
  response (the feed list stays lightweight plain text by design).
- PostCard.vue: render description_html via v-html once expanded (fetched with
  detail); collapsed + no-detail fallback stay plain text. Styled close to the
  source (headings, images max-width, accent links, lists, quotes, code).

Tests: sanitizer (headings/img/lists survive, img javascript: src dropped);
get_post returns sanitized description_html.

Refs FC #830.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-14 13:02:21 -04:00

55 lines
1.9 KiB
Python

from backend.app.utils.html_sanitize import sanitize_post_html
def test_none_and_blank_return_none():
assert sanitize_post_html(None) is None
assert sanitize_post_html("") is None
assert sanitize_post_html(" \n ") is None
def test_allowed_tags_survive():
out = sanitize_post_html("<p>hi <strong>there</strong><br><em>x</em></p>")
assert "<p>" in out and "<strong>" in out and "<br>" in out and "<em>" in out
def test_disallowed_tags_and_attrs_stripped_text_kept():
out = sanitize_post_html('<script>alert(1)</script><p onclick="x">body</p>')
assert "<script>" not in out
assert "alert(1)" not in out # clean_content removes script *content* too
assert "onclick" not in out
assert "body" in out
def test_div_stripped_but_text_preserved():
out = sanitize_post_html("<div><span>keep</span> me</div>")
assert "<div>" not in out and "<span>" not in out
assert "keep" in out and "me" in out
def test_links_get_rel_and_keep_http():
out = sanitize_post_html('<a href="https://example.com/p">link</a>')
assert 'href="https://example.com/p"' in out
assert 'rel="noopener noreferrer"' in out
def test_javascript_href_dropped():
out = sanitize_post_html('<a href="javascript:alert(1)">x</a>')
assert "javascript:" not in out
assert "x" in out # text preserved, dangerous href removed
def test_headings_lists_and_images_survive():
out = sanitize_post_html(
'<h2>Title</h2><p>x</p>'
'<img src="https://cdn.test/a.jpg" alt="art" width="200">'
'<ul><li>one</li></ul><blockquote>q</blockquote>'
)
assert "<h2>" in out
assert '<img' in out and 'src="https://cdn.test/a.jpg"' in out and 'alt="art"' in out
assert "<li>" in out and "<blockquote>" in out
def test_image_javascript_src_dropped():
out = sanitize_post_html('<img src="javascript:alert(1)" alt="x">')
assert "javascript:" not in out