kunthawat/emdash-patch-imageupload
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
73cce1b5936250633e4145343ee0773bd2ad5897
emdash-patch-imageupload/packages/core/tests/integration/search/snippet-sanitization.test.ts
kunthawat 2d1be52177 Emdash source with visual editor image upload fix 
Fixes:
1. media.ts: wrap placeholder generation in try-catch
2. toolbar.ts: check r.ok, display error message in popover
2026-05-03 10:44:54 +07:00

159 lines
5.4 KiB
TypeScript
Raw Blame History

import type { Kysely } from "kysely";
import { describe, it, expect, beforeEach, afterEach } from "vitest";
import { ContentRepository } from "../../../src/database/repositories/content.js";
import type { Database } from "../../../src/database/types.js";
import { SchemaRegistry } from "../../../src/schema/registry.js";
import { FTSManager } from "../../../src/search/fts-manager.js";
import { searchWithDb } from "../../../src/search/query.js";
import { createPostFixture } from "../../utils/fixtures.js";
import { setupTestDatabaseWithCollections, teardownTestDatabase } from "../../utils/test-db.js";
/**
* Snippets returned by FTS5 splice literal `<mark>` markers around matched
* terms but never escape the surrounding text. If the indexed content
* contains characters that mean something in HTML (`<`, `>`, `&`, `"`,
* `'`) the resulting "snippet" is unsafe to render with set:html or
* innerHTML — both for visual integrity (broken markup, mojibake) and
* for security (a `<script>` literal in a title becomes executable).
*
* The shipped contract is "snippet is safe HTML containing only <mark>
* highlight tags." These tests pin that contract.
*/
describe("search snippet sanitization", () => {
let db: Kysely<Database>;
let repo: ContentRepository;
beforeEach(async () => {
db = await setupTestDatabaseWithCollections();
repo = new ContentRepository(db);
const registry = new SchemaRegistry(db);
const ftsManager = new FTSManager(db);
await registry.updateField("post", "title", { searchable: true });
await ftsManager.enableSearch("post");
});
afterEach(async () => {
await teardownTestDatabase(db);
});
it("escapes `<` and `>` in matched content so a `<script>` title cannot execute", async () => {
// A title containing a literal script tag — exactly the payload
// that an attacker would aim at a poorly-escaped highlighter.
await repo.create(
createPostFixture({
slug: "xss-attempt",
status: "published",
data: { title: "Hello <script>alert(1)</script> world" },
}),
);
const { items } = await searchWithDb(db, "alert", {
collections: ["post"],
});
expect(items).toHaveLength(1);
const snippet = items[0]!.snippet ?? "";
// The dangerous `<script>` substring must be escaped. The result
// is allowed to contain `<mark>...</mark>` highlights, so we
// can't just assert "no `<` chars" — we assert the script tag
// itself cannot appear as live markup.
expect(snippet).not.toContain("<script>");
expect(snippet).not.toContain("</script>");
expect(snippet).toContain("&lt;script&gt;");
});
it("escapes ampersands so `<3` and `&amp;` round-trip correctly", async () => {
await repo.create(
createPostFixture({
slug: "ampersand",
status: "published",
data: { title: "Tom & Jerry: 2 < 3 forever" },
}),
);
const { items } = await searchWithDb(db, "Jerry", {
collections: ["post"],
});
expect(items).toHaveLength(1);
const snippet = items[0]!.snippet ?? "";
// Bare `&` must be escaped to `&amp;` — otherwise a downstream
// HTML parser may interpret `& Jerry` as the start of an entity.
expect(snippet).toContain("&amp;");
expect(snippet).not.toMatch(/&(?!amp;|lt;|gt;|quot;|#39;)/);
// `<` from "2 < 3" must also be escaped, even though it's not
// adjacent to a tag-like structure.
expect(snippet).toContain("&lt;");
});
it("does not crash when the snippet column is NULL", async () => {
// FTS triggers insert raw column values with no COALESCE, so any
// row whose title (the column the snippet() call targets) is
// NULL produces a NULL snippet from SQLite — even when the row
// matched via a different searchable column. A regression that
// drops the null-guard throws "Cannot read properties of null
// (reading 'replace')" before these assertions can run.
const registry = new SchemaRegistry(db);
await registry.updateField("post", "content", { searchable: true });
const ftsManager = new FTSManager(db);
await ftsManager.enableSearch("post");
await repo.create(
createPostFixture({
slug: "no-title",
status: "published",
data: {
// Deliberately NULL title — matched via the content
// column so this row still surfaces in results.
title: null,
content: [
{
_type: "block",
style: "normal",
children: [{ _type: "span", text: "Quokka spotted today" }],
},
],
},
}),
);
const { items } = await searchWithDb(db, "Quokka", {
collections: ["post"],
});
expect(items).toHaveLength(1);
// Whether the snippet ends up as a string or undefined doesn't
// matter — the contract is "the search call must not throw".
expect(typeof items[0]!.snippet === "string" || items[0]!.snippet === undefined).toBe(true);
});
it("preserves `<mark>` highlight tags as live HTML", async () => {
// The whole point of returning a snippet is highlighting matches.
// Sanitization must not strip the markers we deliberately added.
await repo.create(
createPostFixture({
slug: "highlight",
status: "published",
data: { title: "The quick brown fox jumps" },
}),
);
const { items } = await searchWithDb(db, "fox", {
collections: ["post"],
});
expect(items).toHaveLength(1);
const snippet = items[0]!.snippet ?? "";
expect(snippet).toContain("<mark>");
expect(snippet).toContain("</mark>");
// And the highlighted token should be the matched word.
expect(snippet).toMatch(/<mark>fox<\/mark>/i);
});
});
Reference in New Issue View Git Blame Copy Permalink