diff --git a/server/internal/sanitize/html.go b/server/internal/sanitize/html.go index 89ca4e094..5d1971f37 100644 --- a/server/internal/sanitize/html.go +++ b/server/internal/sanitize/html.go @@ -1,7 +1,9 @@ package sanitize import ( + "fmt" "regexp" + "strings" "github.com/microcosm-cc/bluemonday" ) @@ -11,11 +13,6 @@ var httpURL = regexp.MustCompile(`^https?://`) // policy is a shared bluemonday policy that allows safe Markdown HTML while // stripping dangerous elements (script, iframe, object, embed, style, on*). -// -// Note: bluemonday operates on raw text, so HTML inside Markdown code blocks -// (e.g. ```\n```", + want: "```\n\n```", + }, + { + name: "script outside code block still stripped", + input: "hello world", + want: "hello world", + }, + { + name: "mixed code and non-code", + input: "text `a && b` more end", + want: "text `a && b` more end", + }, + { + name: "tilde fenced code block preserves content", + input: "~~~\na && b\n~~~", + want: "~~~\na && b\n~~~", + }, } for _, tt := range tests {