8 Commits

Author SHA1 Message Date
vvzvlad f13d1507ad fix: escape debug title (XSS) and make test suite order-independent
Docker Image CI / build (pull_request) Has been cancelled
Issue #13: data["html"]["title"] was embedded into the debug HTML of
/post/html without escaping; title never passes through bleach, so a post
whose generated title carries markup (e.g. a poll question) was a reflected
XSS under ?debug=true. Escape it with html.escape, same as raw_message.
Add a regression test with a <script> payload in a poll question.

Issue #17: a bare 'pytest' from the repo root failed 22 tests because the
config in tests/pytest.ini was not picked up (asyncio_mode lost, .venv
collected) and every test module polluted sys.modules['config'] at import
time. Move the config to a root pytest.ini with testpaths=tests, and
centralize the sys.path bootstrap + config mock in tests/conftest.py, which
pytest imports before any test module. Drop the per-module preambles.

Closes #13, closes #17

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-05 17:20:01 +03:00
vvzvlad d2870bc0f6 add youtube title 2025-04-18 22:58:25 +03:00
vvzvlad bb5931389a add fwd title prefix 2025-04-18 03:52:43 +03:00
vvzvlad 8282f84b4a add fwd test 2025-04-18 03:42:36 +03:00
vvzvlad b10a1f40b5 Ensure forward_origin is always present in message object 2025-04-18 03:40:11 +03:00
vvzvlad 30ab46e21f Refactor tests 2025-04-17 20:05:04 +03:00
vvzvlad ecaba7e8bb new truncate_title logic 2025-04-17 19:43:10 +03:00
vvzvlad 77132eebb9 tests refactoring 2025-04-16 03:05:55 +03:00