From 51fb177c641e33eb4be842cdc5ba1bd438d7b219 Mon Sep 17 00:00:00 2001
From: "qodo-for-filiphric[bot]"
<294811998+qodo-for-filiphric[bot]@users.noreply.github.com>
Date: Sat, 27 Jun 2026 10:27:14 +0000
Subject: [PATCH 1/5] fix: Escape plaintext transform fallback to prevent HTML
injectio
---
cypress/e2e/transformXss.cy.ts | 15 +++++++++++++++
src/modules/transform.ts | 8 +++++++-
2 files changed, 22 insertions(+), 1 deletion(-)
create mode 100644 cypress/e2e/transformXss.cy.ts
diff --git a/cypress/e2e/transformXss.cy.ts b/cypress/e2e/transformXss.cy.ts
new file mode 100644
index 0000000..eb80cfb
--- /dev/null
+++ b/cypress/e2e/transformXss.cy.ts
@@ -0,0 +1,15 @@
+import { transform } from '../../src/modules/transform'
+
+describe('transform() plaintext escaping', () => {
+ it('escapes HTML when Prism language is missing (plaintext)', () => {
+ const payload = '""'
+
+ const output = transform(payload, 'plaintext')
+
+ expect(output).to.contain('')
+ expect(output).to.not.contain('