8d21390294
#1 [security] The final feed-sanitize try/except was FAIL-OPEN: since 4.4 removed the per-fragment passes, post['html'] / the concatenated feed html is now raw channel-controlled HTML, and this is its ONLY sanitize. If bleach itself throws (RecursionError/OOM on pathological nested HTML — a class already seen in this project), the except branch returned the RAW payload = stored XSS. Both branches (RSS per-post, HTML whole-feed) now fail CLOSED via html.escape, so the content survives as inert text and no live tag ever reaches the client. Added a test that forces bleach to raise and asserts no live <script>/<img>/<a> reaches the feed (adversarially validated: reverting to fail-open makes it fail). #2 [test] Direct test of the new upsert_media_file_ids_bulk_sync on a temp DB: empty no-op, multi-row insert, and re-upsert-updates-added (the real executemany + ON CONFLICT, previously only mocked). #3 [test] Test that media ids collected before a render exception are still flushed (the flush is in a finally) — removing the finally now turns a test red. #4 [cleanup] Removed the dead in rss_generator (the flush is delegated to post_parser._flush_pending_media_ids). #5 [doc] Corrected the sanitize-map comments: RSS sanitizes per-post, only HTML is the whole-feed pass. 233 passed (214 baseline + 19). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>