mirror of
https://github.com/garrytan/gstack.git
synced 2026-06-17 15:20:11 +02:00
Garry Tan
14fc0866d9
* docs(todos): P3 content-hash diagram render cache for make-pdf Deferred from the diagram-engine eng review (Codex outside-voice D7): repeat make-pdf runs re-render every fence; cache keyed on fence source + bundle version once multi-diagram docs make it worth building. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> * feat(diagram-render): offline mermaid+excalidraw render bundle for browse Single self-contained page (dist/diagram-render.html, 9.2MB, committed per eng-review D2) exposing __renderMermaid / __mermaidToExcalidraw / __excalidrawToSvg / __rasterize / __probeImage through browse load-html + js --out. Render contract per D3: securityLevel strict, per-fence ids, print-css font lock, htmlLabels off (canvas-taint-safe). Deterministic build (same sha twice); drift test pins dist == BUILD_INFO == package.json pins and rebuild-reproducibility when toolchain matches. Spike-proven offline: flowchart + sequence SVG, editable .excalidraw scene, 300dpi PNG. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> * feat(diagram-render): __downscaleRaster for print-resolution image normalization Data-URI rasters re-encode in their own format (JPEG stays JPEG at q0.9 — PNG-encoding photos bloats them) at an explicit target pixel width. Used by make-pdf's pre-pass for the 300dpi content-box ceiling (eng-review D4). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> * feat(make-pdf): diagram pre-pass — mermaid/excalidraw fences render as vector SVG; local images inline as data URIs ```mermaid / ```excalidraw fences extract to placeholder tokens, render in one diagram-render bundle tab per run (reset contract: bundle page reloads after any render error), and substitute back as accessible <figure> blocks with the raw source preserved in a comment. Render failures produce a loud red diagnostic block, never silent raw code. render=false keeps a fence as code; title="..." becomes the aria-label and caption. Local images now actually render: page.setContent loads at about:blank (tab-session.ts:194), so relative paths silently 404'd before. The pre-pass resolves them against the markdown's directory, inlines as data URIs, probes intrinsic dimensions from the bytes (pure-TS PNG/JPEG/GIF/WebP/SVG sniffing), and downscales rasters wider than 2x the content box at 300dpi. Remote URLs warn (offline posture, --allow-network exempts); missing files get a visible placeholder; --strict hard-fails both for CI pipelines. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> * test(make-pdf): diagram pre-pass unit suite + e2e render gates 34 unit tests (fence extraction incl. nested/tilde/unclosed/render=false, info-string parsing, slot substitution, diagnostic/figure escaping + SVG script strip, byte-level dimension probing across 5 formats, content-box math, image inlining incl. strict/remote/missing/data-URI paths). E2E gate proves through the compiled binary: both fences render as vector text (id-collision check), raw mermaid ships only via render=false, broken fence yields the diagnostic block, and the relative fixture image rasterizes to colored pixels (CRITICAL regression for the about:blank image fix). --strict exits non-zero on a missing image. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> * feat(make-pdf): width directives + conservative auto-landscape via CSS named pages `{width=full|<pct>|<dim>}` and `{page=landscape|portrait}` suffixes translate to data-gstack-* attrs in render() (before the sanitizer, which keeps data- attributes; unrecognized brace groups stay visible text). Default width rule needs no code: intrinsic CSS-px capped at the content box, never upscaled — figure img max-width owns it. Auto-landscape promotes a block to `@page wide { size: <pagesize> landscape }` only when aspect >= 1.8 AND intrinsic width > 2.5x the content box (~1600px on letter) AND diagram provenance (rendered fences) or a whole-word alt token (diagram|architecture|flowchart|chart|graph) for plain images. {page=...} forces or vetoes; fence info strings accept page=... too. preferCSSPageSize is passed to Chromium only when a promotion exists, so every other document prints exactly as before. False negatives are cheap; false positives feel broken (eng-review P4, Codex challenge accepted). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> * test(make-pdf): width-policy unit suite + landscape e2e gate with negative fixtures 24 unit tests weighted toward the false-positive guards: wide screenshot without an alt hint stays portrait, sub-threshold and tall images stay portrait, deterministic 1560/1561px boundary, whole-word alt matching ('photographic' must not match 'graph'), page=portrait veto beats every heuristic, diagnostic blocks never promote. E2E gate asserts pdfinfo per-page boxes through the compiled binary: exactly 3 of 5 fixture blocks get landscape pages (alt-hinted image, directive-forced image, wide sequence diagram) while the unhinted screenshot and the veto'd diagram stay portrait — plus the --toc combo proving TOC and named-page landscape coexist. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> * feat(make-pdf): --to html|docx output formats --to html writes the assembled self-contained document directly (no print round-trip): inline vector diagrams, data-URI images, zero network references, plus an @media screen layer for browser reading. --to docx is the content-fidelity export (eng-review P8): html-to-docx@1.8.0 (exact pin; pure JS, bun-compile-verified) maps headings/tables/code/lists; diagrams and SVG images rasterize at 300dpi of the content-box width via the render tab; diagnostic figures convert to plain p/pre so the converter can't silently drop an error. --format keeps its page-size-alias meaning; --to is the output format, and the CLI says so when confused. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> * test(make-pdf): format gate — html no-network-refs + docx zip content checks HTML: zero src/href network refs, no script/link tags, inline SVG diagrams, data-URI images, screen layer, diagnostic survives. DOCX: valid OOXML zip (document.xml + Content_Types), >=2 PNG media (diagram raster + fixture image), headings + render=false source + diagnostic text in document.xml, no leaked mermaid source from rendered fences. Plus --to validation UX. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> * feat(diagram): /diagram skill — English in, editable diagram triplet out New skill: agent authors mermaid from the user's description and renders the triplet through the offline diagram-render bundle in the browse daemon — .mmd source (the single source of truth), editable .excalidraw (opens at excalidraw.com, round-trips back through re-render), and SVG + PNG. Flowcharts convert to fully editable scenes; other mermaid types render with an explicit upstream-converter limitation note. Never ships an unrendered source file; offline is the contract (no CDN fallback). Inventory rows in AGENTS.md + docs/skills.md; generated SKILL.md + llms.txt via gen:skill-docs. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> * test(diagram): paid E2E pair — gate triplet contract + periodic authoring judge diagram-triplet (gate, deterministic functional): a fresh claude -p agent following the skill extract must emit a parseable triplet — graph LR/TD in .mmd, excalidraw scene with >3 elements, SVG markup, PNG magic bytes. Verified live: pass, $0.17, 58s. diagram-authoring-quality (periodic, LLM-judged): faithfulness/labels/size rubric with a diagnostic-path cap, floor 6/10. Verified live: pass at exactly 6 with substantive critique. Touchfiles select both on diagram/** and lib/diagram-render/** changes; tier split per E2E_TIERS rules (eng-review D5). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> * test(diagram): register /diagram in the skill coverage matrix Gate: triplet contract + structural floor; periodic: authoring-quality judge. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> * feat(make-pdf): typography scale-up, zero image truncation, landscape vertical centering Dogfooding round on the repo README surfaced four output-quality bugs: - Type was too small everywhere: body 11→12pt, h1 22→26pt, h2 15→18pt, cover title 32→56pt with poster spacing, cover meta 10→13pt, TOC 11→12pt with tighter leading, code 9.5→10.5pt, tables 10→11pt. - Zero image truncation, ever: the max-width cap was figure-scoped, but markdown images render as <p><img> — a 1850px GitHub screenshot ran off the page edge. Global img { max-width: 100%; height: auto; } cap. - hyphens: auto put real 'dif-\nferent' breaks into the PDF text layer the moment 12pt made lines wrap (combined-gate caught it). Clean copy-paste is the product contract; left-aligned rag doesn't need hyphenation → hyphens: manual. - Promoted landscape blocks now vertically center. CSS flex/min-height centering fragments into phantom empty landscape pages in Chromium (bisected: min-height at ANY value; 3 promotions printed 5 pages), so image-policy computes an inline margin-top from each block's known aspect ratio against the landscape content box instead — fragmentation handles margins fine. .page-wide also drops its explicit break-before/ after (the page-name change already breaks on both sides). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> * test(make-pdf): pin zero-truncation invariant, typography floor, centering math Global img cap pinned as a regex invariant (the figure-scoped-cap regression class); typography floor (12pt body, 56pt cover, 12pt TOC); .page-wide must NOT carry min-height/flex (the phantom-landscape-page regression class); centering margin math verified both ways (2400×1000 image → 1.38in, 2050×600 viewBox diagram → 1.93in, page-filling directive block → no margin). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> * docs: diagram + multi-format documentation across README, make-pdf skill, and how-to guide README gains /make-pdf (Publisher) and /diagram (Diagram Maker) rows in the sprint table. make-pdf's skill doc — the agent-facing contract — gains Core patterns for mermaid/excalidraw fences (title/render=false/page= options), the image policy ({width=}/{page=} directives, zero-truncation, conservative auto-landscape), --to html|docx, and --strict, plus the --to vs --format disambiguation in Common flags. New docs/howto-diagrams-and-formats.md is the user-facing walkthrough: fences, directives, formats, /diagram triplet, the mermaid racetrack trick, troubleshooting. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> * test(make-pdf): fill ship-audit coverage gaps — downscale, reset contract, excalidraw fence, WebP Ship coverage audit found 9 gaps (85%); this fills the 2 HIGH + 3 MEDIUM and most LOW. diagram-gate fixture gains a 4200px incompressible photo (the only live coverage of __downscaleRaster AND the 64KB chunked jsViaBuffer eval transport — asserted via the downscale stderr warning), an ```excalidraw scene fence rendered through exportToSvg (vector labels + caption in pdftotext, no leaked scene JSON), and the broken fence MOVED BETWEEN the two mermaid fences so the second diagram rendering proves the D6.2 reset contract end-to-end. New coverage-gaps.test.ts (16 tests): mock-tab reset contract (exactly one reload, post-failure fence renders), excalidraw fail-fast diagnostic without a bundle call, rasterize error fallbacks (figure/tag kept, never silent), WebP VP8/VP8L/VP8X byte parsers, landscapeContentBox a4/asymmetric margins, bare-token slot fallback, resolveBundlePath env override + error shape, screenCss media scoping. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> * fix(make-pdf): pre-landing review wave — fence fidelity, injection hardening, Windows paths, transport rework Review army (6 specialists + red team) findings, all fixed: - Indented fences replay byte-for-byte and indented diagram fences are NOT extracted (red-team conf-9: the pre-pass reconstructed fences at column 0, splitting any list containing fenced code — every ordinary document). - String.replace $-pattern injection killed at every seam: substituteSlots, mergeStyle, img/src rewrites all use function replacements (a diagram label containing $' duplicated the document tail). - Big-expression transport reworked: browse `eval <file>` (one spawn, any size, Windows-safe) replaces the 64KB chunked window-buffer eval — fixes the per-chunk spawn cost, the char-vs-byte argv units, AND the Windows 32,767-char command-line ceiling in one move. - Staged-bundle trust: content verified by hash even when the file exists, and the rename-failure path re-hashes the survivor (sticky-bit /tmp EPERM would otherwise ride a pre-planted file past the check). - Windows drive-letter img srcs (C:/x.png) reach the local-path branch instead of being swallowed as unknown URL schemes. - DOCX rasterize-failure now embeds the decoded source as visible text — returning the figure made diagrams vanish silently (converter drops svg). - Fence source preserved as base64 data-gstack-source attribute (the comment encoding corrupted every '-->' arrow); decodeFigureSource() round-trips. - inlineLocalImages memoizes per path; file:// uses fileURLToPath; preview prints a divergence note for fences/local images; --to docx strips the watermark div and warns about print-only flags; TOC links resolve in html/docx (heading ids assigned); waitForExpression sleeps instead of busy-spinning; escapeHtml/svg-dims deduped to single definitions; typography stragglers (blockquote 12pt, footnotes 10pt, 42em screen measure); bundle BUILD_INFO gains srcSha256 for no-node_modules drift detection; MAX_TARGET_PX shared guard. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> * ci: make-pdf gate covers the diagram-render bundle; bundle pinned to LF make-pdf-gate.yml paths gain lib/diagram-render/** and the drift test (a bundle-only PR previously skipped every render gate AND no CI lane ran the drift check at all). .gitattributes pins dist html/json to LF so Windows autocrlf can't break the hash-pinned bundle. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> * test(make-pdf)+feat(diagram): review-wave test pins + skill transport hardening Tests: indented-fence byte-for-byte replay + no-extraction-in-lists, drive-letter local-path routing, $-pattern slot immunity, base64 source round-trip ('A --> B' exact), existing-style merge preservation, DOCX rasterize-failure surfaces source, srcSha256 + font-stack drift guards, landscape veto asserted as some-portrait/no-landscape (layout-order-proof), judge rubric cap lowered to 5 so it actually fails, vacuous error-shape test removed honestly, tmpdir cleanup. /diagram skill: base64 transport (template literals corrupted backticks/${ in sources), content-addressed staging with hash verification, and --tab-id pinned on every browse call so a concurrent /qa session can't be clobbered. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> * feat(make-pdf): out-of-tree image reads warn; --strict makes them fatal (D8.1) Local CLI semantics stay (absolute paths and ../ still inline, like pandoc), but never silently: an agent PDF-ing untrusted markdown can't quietly embed a file from outside the input directory into a shareable document without a visible warning, and --strict pipelines hard-fail. Two unit tests. Also: TODOS.md gains the deferred e2e-harness dedup entry (D8.2). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> * fix: pre-existing test failure in skill-e2e-bws operational-learning Root cause was the fixture, not model behavior: gstack-learnings-log gained an import of lib/jsonl-store.ts in the v1.57.5.0 injection-sanitization wave, but the test copies only bin/ scripts into its sandbox — the inline bun import failed and the script exited 1 before writing, on every run, on main too (reproduced ata5833c41). Fixture now stages lib/jsonl-store.ts beside bin/; verified deterministically (script exits 0, learning written) and via the paid test (1 pass). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> * fix(make-pdf): adversarial-review wave — offline posture enforced, symlink-aware confinement, bounded reads Codex adversarial + structured review findings: - Remote images are now BLOCKED with a visible placeholder instead of warn-and-keep — leaving the tag meant Chromium fetched the URL at print time anyway, so the offline posture was a lie (tracking pixels and internal-URL probes ran without --allow-network). - The out-of-tree read check compares REAL paths: a symlink inside the input dir pointing at ~/.ssh/... passed the string-prefix check, including under --strict. Ordered after the existence check (realpath of a missing file false-positives on macOS /var → /private/var). - Image reads are bounded BEFORE reading: statSync first, non-regular files (fifo/device/dir) and >64MB files degrade to placeholders instead of hanging or exhausting memory; malformed percent-encoding (foo%zz.png) degrades to missing-image instead of crashing decodeURIComponent. - browse shell-outs get a 120s timeout — a wedged daemon or hostile mermaid source fails the run instead of hanging it. - TOC entries link to the heading's ACTUAL id (pre-id'd raw-HTML headings previously got dead #toc-N links); per-side margins compose into the CSS @page shorthand so a landscape promotion flipping preferCSSPageSize no longer silently reverts --margin-left/right to defaults (Codex P2). - The image memo is a typed object — literal NUL-byte separators had made diagram-prepass.ts register as binary to text tooling. Codex structured review GATE: PASS (no P1). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> * chore: bump version and changelog (v1.58.0.0) Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> * docs: sync make-pdf image-policy docs with final shipped behavior (v1.58.0.0) The docs wave (87594420) predated the final review-wave commits, so two docs drifted from shipped behavior: - make-pdf/SKILL.md.tmpl + generated SKILL.md: remote images are BLOCKED with a visible placeholder (not warned-and-kept); out-of-tree reads (including via symlink) warn and --strict makes them fatal; --strict also covers oversized (>64MB) and non-regular files; troubleshooting entry now names the actual "[remote image blocked]" symptom. - docs/howto-diagrams-and-formats.md: same corrections in the image section, CI section, and troubleshooting. - README.md: docs/howto-diagrams-and-formats.md added to the Docs table (was unreachable from any entry-point doc). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> * docs: apply Codex doc-review findings for v1.58.0.0 Cross-model doc review (Codex, read-only) checked the v1.58.0.0 docs against the shipped code. Fixes: - howto + make-pdf SKILL: diagram source is preserved base64 in a data-gstack-source attribute, not an HTML comment (-- in mermaid arrows would corrupt a comment); fences must start at column 0; fence options example gains page=portrait; --to html "zero network refs" qualified (--allow-network deliberately keeps remote tags). - /diagram description, README + docs/skills.md rows: the hand-drawn aesthetic belongs to the .excalidraw artifact; rendered SVG/PNG use mermaid's clean neutral theme (lib/diagram-render entry.ts pins theme: "neutral"). - CHANGELOG v1.58.0.0 wording: --strict coverage lists all five fatal classes (missing/remote/out-of-tree/oversized/non-regular); fences are vector SVG in pdf+html, 300dpi PNG in docx; hand-drawn claim scoped to the .excalidraw file. - lib/diagram-render/README: Page API table gains __downscaleRaster. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> --------- Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
524 lines
21 KiB
TypeScript
524 lines
21 KiB
TypeScript
/**
|
|
* Renderer unit tests — pure-function assertions for render.ts, smartypants.ts,
|
|
* and print-css.ts. No Playwright, no PDF generation.
|
|
*/
|
|
|
|
import { describe, expect, test } from "bun:test";
|
|
|
|
import { render, sanitizeUntrustedHtml } from "../src/render";
|
|
import { smartypants } from "../src/smartypants";
|
|
import { printCss } from "../src/print-css";
|
|
|
|
// ─── smartypants ──────────────────────────────────────────────
|
|
|
|
describe("smartypants", () => {
|
|
test("converts straight double quotes to curly", () => {
|
|
const out = smartypants(`<p>She said "hello" to him.</p>`);
|
|
expect(out).toContain("\u201chello\u201d");
|
|
});
|
|
|
|
test("converts em dash (--)", () => {
|
|
const out = smartypants(`<p>This is it -- the answer.</p>`);
|
|
expect(out).toContain("\u2014");
|
|
});
|
|
|
|
test("converts ellipsis (...)", () => {
|
|
const out = smartypants(`<p>Wait...</p>`);
|
|
expect(out).toContain("\u2026");
|
|
});
|
|
|
|
test("converts apostrophes in contractions", () => {
|
|
const out = smartypants(`<p>don't you know?</p>`);
|
|
expect(out).toContain("don\u2019t");
|
|
});
|
|
|
|
test("does NOT touch content inside <code> blocks", () => {
|
|
const input = `<pre><code>const x = "hello"; // it's fine</code></pre>`;
|
|
const out = smartypants(input);
|
|
expect(out).toBe(input); // unchanged
|
|
});
|
|
|
|
test("does NOT touch content inside <pre> blocks", () => {
|
|
const input = `<pre>"quoted" -- don't</pre>`;
|
|
const out = smartypants(input);
|
|
expect(out).toBe(input);
|
|
});
|
|
|
|
test("does NOT touch inline code", () => {
|
|
const out = smartypants(`<p>Use <code>it's</code> like this: "hello".</p>`);
|
|
expect(out).toContain("<code>it's</code>");
|
|
expect(out).toContain("\u201chello\u201d");
|
|
});
|
|
|
|
test("does NOT touch URLs", () => {
|
|
const out = smartypants(`<p>Visit https://example.com/it's-page for "details".</p>`);
|
|
expect(out).toContain("https://example.com/it's-page");
|
|
expect(out).toContain("\u201cdetails\u201d");
|
|
});
|
|
|
|
test("does NOT touch HTML attribute values", () => {
|
|
const out = smartypants(`<a href="it's-a-test.html">link</a>`);
|
|
expect(out).toContain(`href="it's-a-test.html"`);
|
|
});
|
|
|
|
test("does NOT convert -- in CLI flags", () => {
|
|
// Prose like "try --verbose mode" should not turn -- into em dash
|
|
const out = smartypants(`<p>Try --verbose mode.</p>`);
|
|
// Since "--" is followed by a word char but not preceded by word/space,
|
|
// it should remain intact. We're lenient here — acceptable either way.
|
|
expect(out).toMatch(/--verbose|—verbose/);
|
|
});
|
|
});
|
|
|
|
// ─── sanitizer ──────────────────────────────────────────────
|
|
|
|
describe("sanitizeUntrustedHtml", () => {
|
|
test("strips <script> tags and content", () => {
|
|
const input = `<p>hello</p><script>alert(1)</script><p>world</p>`;
|
|
const out = sanitizeUntrustedHtml(input);
|
|
expect(out).not.toContain("<script");
|
|
expect(out).not.toContain("alert");
|
|
expect(out).toContain("<p>hello</p>");
|
|
expect(out).toContain("<p>world</p>");
|
|
});
|
|
|
|
test("strips <iframe>", () => {
|
|
const input = `<p>hi</p><iframe src="evil.com"></iframe>`;
|
|
expect(sanitizeUntrustedHtml(input)).not.toContain("<iframe");
|
|
});
|
|
|
|
test("strips onclick attribute", () => {
|
|
const input = `<a href="#" onclick="alert(1)">click</a>`;
|
|
const out = sanitizeUntrustedHtml(input);
|
|
expect(out).not.toContain("onclick");
|
|
expect(out).toContain("href=\"#\"");
|
|
});
|
|
|
|
test("strips event handlers with mixed case (onClick, ONCLICK)", () => {
|
|
const input1 = `<a href="#" onClick="x()">a</a>`;
|
|
const input2 = `<a href="#" ONCLICK="x()">b</a>`;
|
|
expect(sanitizeUntrustedHtml(input1)).not.toContain("onClick");
|
|
expect(sanitizeUntrustedHtml(input2)).not.toContain("ONCLICK");
|
|
});
|
|
|
|
test("rewrites javascript: URLs in href to #", () => {
|
|
const input = `<a href="javascript:alert(1)">bad</a>`;
|
|
const out = sanitizeUntrustedHtml(input);
|
|
expect(out).not.toContain("javascript:");
|
|
expect(out).toContain('href="#"');
|
|
});
|
|
|
|
test("strips inline SVG <script>", () => {
|
|
const input = `<svg><script>alert(1)</script><circle r="5"/></svg>`;
|
|
const out = sanitizeUntrustedHtml(input);
|
|
expect(out).not.toContain("<script");
|
|
expect(out).toContain("<circle");
|
|
});
|
|
|
|
test("strips <object>, <embed>, <link>, <meta>, <base>, <form>", () => {
|
|
const input = `
|
|
<object data="x.swf"></object>
|
|
<embed src="y.mov">
|
|
<link rel="stylesheet" href="evil.css">
|
|
<meta http-equiv="refresh" content="0;url=evil">
|
|
<base href="evil.com">
|
|
<form action="evil"><input/></form>
|
|
`;
|
|
const out = sanitizeUntrustedHtml(input);
|
|
expect(out).not.toContain("<object");
|
|
expect(out).not.toContain("<embed");
|
|
expect(out).not.toContain("<link");
|
|
expect(out).not.toContain("<meta");
|
|
expect(out).not.toContain("<base");
|
|
expect(out).not.toContain("<form");
|
|
});
|
|
|
|
test("strips srcdoc attribute (iframe escape vector)", () => {
|
|
const input = `<div srcdoc="<script>bad</script>">hi</div>`;
|
|
expect(sanitizeUntrustedHtml(input)).not.toContain("srcdoc");
|
|
});
|
|
});
|
|
|
|
// ─── end-to-end render ──────────────────────────────────────────────
|
|
|
|
describe("render (end-to-end)", () => {
|
|
test("produces a full HTML document with title, body, and CSS", () => {
|
|
const result = render({
|
|
markdown: `# Hello\n\nA paragraph with "quotes" and -- dashes.\n`,
|
|
});
|
|
expect(result.html).toContain("<!doctype html>");
|
|
expect(result.html).toContain("<title>Hello</title>");
|
|
expect(result.html).toContain("<h1");
|
|
expect(result.html).toContain("Hello");
|
|
// CSS should be inlined as <style>...
|
|
expect(result.html).toMatch(/<style>[\s\S]*font-family: Helvetica/);
|
|
// Smartypants ran
|
|
expect(result.html).toContain("\u201cquotes\u201d");
|
|
expect(result.html).toContain("\u2014");
|
|
});
|
|
|
|
test("derives title from first H1 when --title is not passed", () => {
|
|
const result = render({ markdown: `# My Title\n\nBody.` });
|
|
expect(result.meta.title).toBe("My Title");
|
|
});
|
|
|
|
test("uses --title override when provided", () => {
|
|
const result = render({
|
|
markdown: `# Auto-derived\n\nBody.`,
|
|
title: "Explicit Title",
|
|
});
|
|
expect(result.meta.title).toBe("Explicit Title");
|
|
});
|
|
|
|
test("includes cover block when cover=true", () => {
|
|
const result = render({
|
|
markdown: `# Doc\n\nBody.`,
|
|
cover: true,
|
|
subtitle: "A subtitle",
|
|
author: "Garry Tan",
|
|
});
|
|
expect(result.html).toContain(`class="cover"`);
|
|
expect(result.html).toContain(`class="cover-title"`);
|
|
expect(result.html).toContain("A subtitle");
|
|
expect(result.html).toContain("Garry Tan");
|
|
});
|
|
|
|
test("omits cover block when cover=false", () => {
|
|
const result = render({ markdown: `# Memo\n\nBody.` });
|
|
expect(result.html).not.toContain(`class="cover"`);
|
|
});
|
|
|
|
test("injects watermark element when --watermark is set", () => {
|
|
const result = render({ markdown: `# Doc`, watermark: "DRAFT" });
|
|
expect(result.html).toContain(`class="watermark"`);
|
|
expect(result.html).toContain("DRAFT");
|
|
// And the CSS rule for it must be present
|
|
expect(result.html).toContain("position: fixed");
|
|
expect(result.html).toContain("rotate(-30deg)");
|
|
});
|
|
|
|
test("wraps each H1 in its own .chapter section (default)", () => {
|
|
const result = render({
|
|
markdown: `# One\n\nbody 1\n\n# Two\n\nbody 2\n`,
|
|
});
|
|
const chapterMatches = result.html.match(/class="chapter"/g);
|
|
expect(chapterMatches).toBeTruthy();
|
|
if (chapterMatches) expect(chapterMatches.length).toBe(2);
|
|
});
|
|
|
|
test("does NOT create chapter sections when noChapterBreaks=true", () => {
|
|
const result = render({
|
|
markdown: `# One\n\nbody\n\n# Two\n\nbody\n`,
|
|
noChapterBreaks: true,
|
|
});
|
|
const chapterMatches = result.html.match(/class="chapter"/g) ?? [];
|
|
expect(chapterMatches.length).toBe(1);
|
|
});
|
|
|
|
test("builds a TOC with H1/H2 entries when toc=true", () => {
|
|
const result = render({
|
|
markdown: `# One\n\n## Sub\n\nbody\n\n# Two\n\nbody\n`,
|
|
toc: true,
|
|
});
|
|
expect(result.html).toContain(`class="toc"`);
|
|
expect(result.html).toContain(`<h2>Contents</h2>`);
|
|
expect(result.html).toContain("One");
|
|
expect(result.html).toContain("Sub");
|
|
expect(result.html).toContain("Two");
|
|
});
|
|
|
|
test("strips dangerous HTML from untrusted markdown", () => {
|
|
const result = render({
|
|
markdown: `# Safe\n\n<script>alert('xss')</script>\n\nBody.`,
|
|
});
|
|
expect(result.html).not.toContain("<script");
|
|
expect(result.html).not.toContain("alert");
|
|
expect(result.html).toContain("Safe");
|
|
});
|
|
|
|
test("respects text-align: left — no justify in print CSS", () => {
|
|
const result = render({ markdown: `para1\n\npara2\n` });
|
|
// The rule from the design-review fix: no p + p indent, text-align: left.
|
|
expect(result.printCss).toContain("text-align: left");
|
|
expect(result.printCss).not.toContain("text-align: justify");
|
|
expect(result.printCss).not.toContain("text-indent");
|
|
});
|
|
|
|
test("includes CJK font fallback in body", () => {
|
|
const result = render({ markdown: `body` });
|
|
expect(result.printCss).toContain("Hiragino Kaku Gothic");
|
|
expect(result.printCss).toContain("Noto Sans CJK");
|
|
});
|
|
});
|
|
|
|
// ─── print-css ──────────────────────────────────────────────
|
|
|
|
describe("printCss", () => {
|
|
test("emits 1in margins by default", () => {
|
|
const css = printCss();
|
|
expect(css).toContain("margin: 1in");
|
|
});
|
|
|
|
test("respects custom margins flag", () => {
|
|
const css = printCss({ margins: "72pt" });
|
|
expect(css).toContain("margin: 72pt");
|
|
});
|
|
|
|
test("per-side margins reach the CSS @page rule (preferCSSPageSize parity)", () => {
|
|
// Under a landscape promotion Chromium honors the CSS margins, not the
|
|
// CDP per-side options — render() must compose them into the shorthand.
|
|
const r = render({ markdown: "# T", marginLeft: "0.5in", marginRight: "0.5in" });
|
|
expect(r.printCss).toContain("margin: 1in 0.5in 1in 0.5in");
|
|
});
|
|
|
|
test("emits letter page size by default", () => {
|
|
const css = printCss();
|
|
expect(css).toContain("size: letter");
|
|
});
|
|
|
|
test("respects custom page size", () => {
|
|
const css = printCss({ pageSize: "a4" });
|
|
expect(css).toContain("size: a4");
|
|
});
|
|
|
|
test("suppresses running header and footer on cover page", () => {
|
|
const css = printCss();
|
|
expect(css).toMatch(/@page\s*:first\s*\{[\s\S]*?content:\s*none[\s\S]*?content:\s*none/);
|
|
});
|
|
|
|
test("omits CONFIDENTIAL when confidential=false", () => {
|
|
const css = printCss({ confidential: false });
|
|
expect(css).not.toContain("CONFIDENTIAL");
|
|
});
|
|
|
|
test("emits watermark CSS only when watermark is set", () => {
|
|
const withWatermark = printCss({ watermark: "DRAFT" });
|
|
expect(withWatermark).toContain(".watermark");
|
|
expect(withWatermark).toContain("rotate(-30deg)");
|
|
|
|
const withoutWatermark = printCss();
|
|
expect(withoutWatermark).not.toContain(".watermark");
|
|
});
|
|
|
|
test("drops chapter break rule when noChapterBreaks=true", () => {
|
|
const on = printCss({ noChapterBreaks: false });
|
|
expect(on).toContain("break-before: page");
|
|
|
|
const off = printCss({ noChapterBreaks: true });
|
|
expect(off).not.toContain(".chapter { break-before: page");
|
|
});
|
|
|
|
test("always sets p { text-align: left }", () => {
|
|
const css = printCss();
|
|
expect(css).toContain("text-align: left");
|
|
});
|
|
|
|
test("never sets text-indent on p", () => {
|
|
const css = printCss();
|
|
// Confirm no p-indent slipped in
|
|
expect(css).not.toMatch(/p\s*\+\s*p\s*\{[^}]*text-indent/);
|
|
});
|
|
|
|
test("emits @bottom-center page-number rule by default", () => {
|
|
const css = printCss();
|
|
expect(css).toMatch(/@bottom-center\s*\{\s*content:\s*counter\(page\)/);
|
|
});
|
|
|
|
test("suppresses @bottom-center page-number rule when pageNumbers=false", () => {
|
|
const css = printCss({ pageNumbers: false });
|
|
expect(css).not.toMatch(/@bottom-center\s*\{\s*content:\s*counter\(page\)/);
|
|
});
|
|
|
|
test("still emits @bottom-center when pageNumbers=true (explicit)", () => {
|
|
const css = printCss({ pageNumbers: true });
|
|
expect(css).toMatch(/@bottom-center\s*\{\s*content:\s*counter\(page\)/);
|
|
});
|
|
|
|
// Zero image truncation, ever: the cap must be a GLOBAL img rule. Markdown
|
|
// images render as <p><img> (no figure), so a figure-scoped cap alone lets
|
|
// wide screenshots run off the page edge — the exact regression this pins.
|
|
test("emits a global img max-width cap (zero truncation invariant)", () => {
|
|
const css = printCss();
|
|
expect(css).toMatch(/(^|\n)img\s*\{\s*max-width:\s*100%;\s*height:\s*auto;\s*\}/);
|
|
});
|
|
|
|
test("typography floor: body 12pt, poster cover, readable TOC", () => {
|
|
const css = printCss({ cover: true, toc: true });
|
|
expect(css).toContain("font-size: 12pt"); // body
|
|
expect(css).toMatch(/\.cover h1\.cover-title\s*\{[^}]*font-size:\s*56pt/);
|
|
expect(css).toMatch(/\.cover \.cover-meta\s*\{[^}]*font-size:\s*13pt/);
|
|
expect(css).toMatch(/\.toc li\s*\{[^}]*font-size:\s*12pt/);
|
|
});
|
|
|
|
test("page-wide carries the named page and NO height/flex centering", () => {
|
|
const css = printCss();
|
|
expect(css).toMatch(/\.page-wide\s*\{[^}]*page:\s*wide/);
|
|
// Centering is computed by image-policy as an inline margin-top. CSS
|
|
// flex/min-height centering fragments into phantom empty landscape pages
|
|
// in Chromium — this pins the regression (landscape-gate: 5 pages for 3
|
|
// promotions, bisected to min-height at any value).
|
|
expect(css).not.toMatch(/\.page-wide\s*\{[^}]*min-height/);
|
|
expect(css).not.toMatch(/\.page-wide\s*\{[^}]*flex/);
|
|
});
|
|
|
|
test("font stacks include Liberation Sans adjacent to Helvetica", () => {
|
|
const css = printCss({ confidential: true });
|
|
// Body stack
|
|
expect(css).toMatch(/font-family:\s*Helvetica,\s*"Liberation Sans",\s*Arial/);
|
|
// At least one @page margin box (running header / page number / CONFIDENTIAL)
|
|
// should also have the updated stack.
|
|
const marginBoxStacks = css.match(/@(top|bottom)-(center|right)\s*\{[^}]*Liberation Sans/g) ?? [];
|
|
expect(marginBoxStacks.length).toBeGreaterThanOrEqual(1);
|
|
});
|
|
|
|
test("all four original Helvetica stacks now include Liberation Sans", () => {
|
|
const css = printCss({ runningHeader: "Running Title", confidential: true });
|
|
// Count: body (1) + running header (1) + page numbers (1) + confidential (1) = 4
|
|
const occurrences = (css.match(/"Liberation Sans"/g) ?? []).length;
|
|
expect(occurrences).toBeGreaterThanOrEqual(4);
|
|
});
|
|
|
|
// ─── emoji fallback (fix/make-pdf-emoji-tofu) ────────────────
|
|
// Body + @top-center running header get the color-emoji families so
|
|
// Chromium has a glyph source for emoji code points instead of tofu (▯).
|
|
// The @bottom-* boxes hold counters / "CONFIDENTIAL" only — no emoji.
|
|
|
|
test("body stack includes all three emoji families before sans-serif", () => {
|
|
const css = printCss();
|
|
expect(css).toContain(`"Apple Color Emoji"`);
|
|
expect(css).toContain(`"Segoe UI Emoji"`);
|
|
expect(css).toContain(`"Noto Color Emoji"`);
|
|
// Emoji families must precede the generic family so per-character fallback
|
|
// reaches them before terminating at sans-serif.
|
|
expect(css).toMatch(/"Noto Color Emoji",\s*sans-serif/);
|
|
});
|
|
|
|
test("@top-center running header includes emoji families", () => {
|
|
const css = printCss({ runningHeader: "Q3 Report 🚀" });
|
|
const topCenter = css.match(/@top-center\s*\{[^}]*\}/)?.[0] ?? "";
|
|
expect(topCenter).toContain(`"Apple Color Emoji"`);
|
|
expect(topCenter).toContain(`"Noto Color Emoji"`);
|
|
});
|
|
|
|
test("@bottom-center and @bottom-right do NOT include emoji families", () => {
|
|
const css = printCss({ confidential: true });
|
|
const bottomCenter = css.match(/@bottom-center\s*\{[^}]*\}/)?.[0] ?? "";
|
|
const bottomRight = css.match(/@bottom-right\s*\{[^}]*\}/)?.[0] ?? "";
|
|
expect(bottomCenter).not.toContain("Emoji");
|
|
expect(bottomRight).not.toContain("Emoji");
|
|
// ...but they still share the sans stack via the SANS_STACK constant.
|
|
expect(bottomCenter).toContain(`"Liberation Sans"`);
|
|
expect(bottomRight).toContain(`"Liberation Sans"`);
|
|
});
|
|
|
|
test("emoji families appear in exactly the two emoji-bearing stacks", () => {
|
|
const css = printCss({ runningHeader: "Title", confidential: true });
|
|
// body (1) + @top-center (1) = 2 occurrences of the emoji group.
|
|
const occurrences = (css.match(/"Apple Color Emoji"/g) ?? []).length;
|
|
expect(occurrences).toBe(2);
|
|
});
|
|
});
|
|
|
|
// ─── render() — pageNumbers / footerTemplate data flow ───────────────
|
|
|
|
describe("render() — pageNumbers data flow", () => {
|
|
test("CSS footer renders by default", () => {
|
|
const result = render({ markdown: `# Doc\n\nBody.` });
|
|
expect(result.printCss).toMatch(/@bottom-center\s*\{\s*content:\s*counter\(page\)/);
|
|
});
|
|
|
|
test("--no-page-numbers reaches the CSS layer", () => {
|
|
const result = render({ markdown: `# Doc\n\nBody.`, pageNumbers: false });
|
|
expect(result.printCss).not.toMatch(/@bottom-center\s*\{\s*content:\s*counter\(page\)/);
|
|
});
|
|
|
|
test("footerTemplate suppresses CSS page numbers (custom footer wins)", () => {
|
|
const result = render({
|
|
markdown: `# Doc\n\nBody.`,
|
|
footerTemplate: `<div class="foo">custom</div>`,
|
|
});
|
|
expect(result.printCss).not.toMatch(/@bottom-center\s*\{\s*content:\s*counter\(page\)/);
|
|
});
|
|
|
|
test("pageNumbers=true + no footerTemplate keeps CSS footer", () => {
|
|
const result = render({ markdown: `# Doc`, pageNumbers: true });
|
|
expect(result.printCss).toMatch(/@bottom-center\s*\{\s*content:\s*counter\(page\)/);
|
|
});
|
|
});
|
|
|
|
// ─── render() — HTML entity handling in titles, cover, TOC ───────────
|
|
|
|
describe("render() — no double HTML entity escaping", () => {
|
|
type Case = { char: string; inTitle: string; expectedTitleMeta: string };
|
|
|
|
// Only characters that should flow through unchanged. `"` and `'` are
|
|
// omitted from this set because smartypants converts them to curly quotes
|
|
// before heading extraction — asserted separately below.
|
|
const cases: Case[] = [
|
|
{ char: "&", inTitle: "A & B", expectedTitleMeta: "A & B" },
|
|
{ char: "<", inTitle: "A < B", expectedTitleMeta: "A < B" },
|
|
{ char: ">", inTitle: "A > B", expectedTitleMeta: "A > B" },
|
|
{ char: "©", inTitle: "A © B", expectedTitleMeta: "A © B" },
|
|
{ char: "—", inTitle: "A — B", expectedTitleMeta: "A — B" },
|
|
];
|
|
|
|
for (const { char, inTitle, expectedTitleMeta } of cases) {
|
|
test(`"${char}" in H1 has no double-escape in <title> or cover`, () => {
|
|
const result = render({
|
|
markdown: `# ${inTitle}\n\nBody.`,
|
|
cover: true,
|
|
author: "A",
|
|
});
|
|
// Meta: decoded plain text.
|
|
expect(result.meta.title).toBe(expectedTitleMeta);
|
|
// HTML: <title>...</title> never contains double-escape patterns.
|
|
expect(result.html).not.toMatch(/<title>[^<]*&amp;/);
|
|
expect(result.html).not.toMatch(/<title>[^<]*&lt;/);
|
|
expect(result.html).not.toMatch(/<title>[^<]*&gt;/);
|
|
expect(result.html).not.toMatch(/<title>[^<]*&#\d+;/);
|
|
expect(result.html).not.toMatch(/<title>[^<]*&#x[0-9a-fA-F]+;/);
|
|
// Cover block also single-escape.
|
|
expect(result.html).not.toMatch(/class="cover-title"[^>]*>[^<]*&amp;/);
|
|
});
|
|
}
|
|
|
|
test('ampersand in <title> renders as exactly one "&"', () => {
|
|
const result = render({ markdown: `# Faber & Faber\n\nBody.` });
|
|
expect(result.html).toContain("<title>Faber & Faber</title>");
|
|
expect(result.html).not.toContain("&amp;");
|
|
});
|
|
|
|
test("TOC entries have no double-escape when a heading contains '&'", () => {
|
|
const result = render({
|
|
markdown: `# Doc\n\n## Faber & Faber\n\nBody.\n\n## Other\n\nMore.`,
|
|
toc: true,
|
|
});
|
|
// TOC renders the heading text through escapeHtml; must be single-escaped.
|
|
expect(result.html).toContain("Faber & Faber");
|
|
expect(result.html).not.toContain("&amp;");
|
|
});
|
|
|
|
test('numeric entity in H1 (e.g. "©") decodes cleanly to <title>', () => {
|
|
// Marked passes through numeric entities verbatim in the HTML output,
|
|
// so the decoder must handle them.
|
|
const result = render({ markdown: `# A © B\n\nBody.` });
|
|
expect(result.meta.title).toBe("A © B");
|
|
expect(result.html).toContain("<title>A © B</title>");
|
|
});
|
|
|
|
test("smartypants converts raw quotes in title BEFORE extraction (contract)", () => {
|
|
// We do NOT assert raw `"` survives — smartypants is expected to convert it.
|
|
// The contract is: no double-escape of the encoded form.
|
|
const result = render({ markdown: `# Say "hi"\n\nBody.` });
|
|
expect(result.html).not.toContain("&quot;");
|
|
expect(result.html).not.toContain("&#39;");
|
|
// And <title> contains exactly one level of escaping.
|
|
const titleMatch = result.html.match(/<title>([^<]*)<\/title>/);
|
|
expect(titleMatch).toBeTruthy();
|
|
if (titleMatch) {
|
|
// Never contains a double-encoded entity.
|
|
expect(titleMatch[1]).not.toMatch(/&(amp|lt|gt|quot|#\d+);/);
|
|
}
|
|
});
|
|
});
|