diff --git a/server/internal/sanitize/html.go b/server/internal/sanitize/html.go
index 89ca4e094..5d1971f37 100644
--- a/server/internal/sanitize/html.go
+++ b/server/internal/sanitize/html.go
@@ -1,7 +1,9 @@
package sanitize
import (
+ "fmt"
"regexp"
+ "strings"
"github.com/microcosm-cc/bluemonday"
)
@@ -11,11 +13,6 @@ var httpURL = regexp.MustCompile(`^https?://`)
// policy is a shared bluemonday policy that allows safe Markdown HTML while
// stripping dangerous elements (script, iframe, object, embed, style, on*).
-//
-// Note: bluemonday operates on raw text, so HTML inside Markdown code blocks
-// (e.g. ```\n```",
+ want: "```\n\n```",
+ },
+ {
+ name: "script outside code block still stripped",
+ input: "hello world",
+ want: "hello world",
+ },
+ {
+ name: "mixed code and non-code",
+ input: "text `a && b` more end",
+ want: "text `a && b` more end",
+ },
+ {
+ name: "tilde fenced code block preserves content",
+ input: "~~~\na && b\n~~~",
+ want: "~~~\na && b\n~~~",
+ },
}
for _, tt := range tests {