aboutsummaryrefslogtreecommitdiff
path: root/tests/test-markdown-config.el
diff options
context:
space:
mode:
authorCraig Jennings <c@cjennings.net>2026-06-30 17:25:50 -0400
committerCraig Jennings <c@cjennings.net>2026-06-30 17:25:50 -0400
commit6660b0dc2a6e32aa4c4aec910a6a08bf8bb1e807 (patch)
tree0e3f47b6194e426a0ab24f38579f1649f0ca79bf /tests/test-markdown-config.el
parent0338c7b2504616e1b89ac21a4e1b5e460a42fec6 (diff)
downloaddotemacs-6660b0dc2a6e32aa4c4aec910a6a08bf8bb1e807.tar.gz
dotemacs-6660b0dc2a6e32aa4c4aec910a6a08bf8bb1e807.zip
fix(markdown): vendor strapdown.js instead of a plain-HTTP CDN
The live markdown preview pulled strapdown.js from http://ndossougbe.github.io over plain HTTP. That broke the preview with no network, loaded third-party JS over an unencrypted connection (mixed content, MITM), and trusted an unmaintained github.io page against the localhost preview. I vendored the self-contained bundle (jQuery, marked, bootstrap themes) into assets/strapdown.js and embed it inline. The whole preview now serves from localhost and works offline. cj/markdown-html reads the file once and caches it.
Diffstat (limited to 'tests/test-markdown-config.el')
-rw-r--r--tests/test-markdown-config.el21
1 files changed, 20 insertions, 1 deletions
diff --git a/tests/test-markdown-config.el b/tests/test-markdown-config.el
index edb20d357..e079a8b44 100644
--- a/tests/test-markdown-config.el
+++ b/tests/test-markdown-config.el
@@ -37,10 +37,29 @@
(let ((html (buffer-string)))
(should (string-match-p "<!DOCTYPE html>" html))
(should (string-match-p "<xmp" html))
- (should (string-match-p "strapdown\\.js" html))
(should (string-match-p "some \\*\\*markdown\\*\\*" html)))))
(kill-buffer src))))
+(ert-deftest test-markdown-html-vendors-strapdown-no-external-cdn ()
+ "Normal: the preview embeds the vendored strapdown inline and references no
+external CDN, so the preview works offline and doesn't load third-party JS over
+plain HTTP."
+ (let ((src (generate-new-buffer " *md-cdn*")))
+ (unwind-protect
+ (progn
+ (with-current-buffer src (insert "# Hello"))
+ (with-temp-buffer
+ (cj/markdown-html src)
+ (let ((html (buffer-string)))
+ ;; No external CDN of any kind.
+ (should-not (string-match-p "ndossougbe" html))
+ (should-not (string-match-p "src=\"https?://" html))
+ ;; Vendored strapdown is embedded inline (a bare <script> with the
+ ;; ~121KB bundle, not a <script src=...>).
+ (should (string-match-p "<script>" html))
+ (should (> (length html) 100000)))))
+ (kill-buffer src))))
+
(ert-deftest test-markdown-html-empty-source-buffer ()
"Boundary: an empty source buffer still yields the HTML shell."
(let ((src (generate-new-buffer " *md-empty*")))