From 51fb177c641e33eb4be842cdc5ba1bd438d7b219 Mon Sep 17 00:00:00 2001 From: "qodo-for-filiphric[bot]" <294811998+qodo-for-filiphric[bot]@users.noreply.github.com> Date: Sat, 27 Jun 2026 10:27:14 +0000 Subject: [PATCH 1/5] fix: Escape plaintext transform fallback to prevent HTML injectio --- cypress/e2e/transformXss.cy.ts | 15 +++++++++++++++ src/modules/transform.ts | 8 +++++++- 2 files changed, 22 insertions(+), 1 deletion(-) create mode 100644 cypress/e2e/transformXss.cy.ts diff --git a/cypress/e2e/transformXss.cy.ts b/cypress/e2e/transformXss.cy.ts new file mode 100644 index 0000000..eb80cfb --- /dev/null +++ b/cypress/e2e/transformXss.cy.ts @@ -0,0 +1,15 @@ +import { transform } from '../../src/modules/transform' + +describe('transform() plaintext escaping', () => { + it('escapes HTML when Prism language is missing (plaintext)', () => { + const payload = '""' + + const output = transform(payload, 'plaintext') + + expect(output).to.contain('') + expect(output).to.not.contain('