From 8d21390294f7ac6b0dc41702ffa098150c1a62bd Mon Sep 17 00:00:00 2001 From: claude code agent Date: Sun, 5 Jul 2026 09:41:09 +0300 Subject: [PATCH] fix(stability): fail CLOSED on feed-sanitize exception + cover bulk-SQL/flush (review round 1) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit #1 [security] The final feed-sanitize try/except was FAIL-OPEN: since 4.4 removed the per-fragment passes, post['html'] / the concatenated feed html is now raw channel-controlled HTML, and this is its ONLY sanitize. If bleach itself throws (RecursionError/OOM on pathological nested HTML — a class already seen in this project), the except branch returned the RAW payload = stored XSS. Both branches (RSS per-post, HTML whole-feed) now fail CLOSED via html.escape, so the content survives as inert text and no live tag ever reaches the client. Added a test that forces bleach to raise and asserts no live