diff options
| author | Craig Jennings <c@cjennings.net> | 2026-06-30 17:25:50 -0400 |
|---|---|---|
| committer | Craig Jennings <c@cjennings.net> | 2026-06-30 17:25:50 -0400 |
| commit | 6660b0dc2a6e32aa4c4aec910a6a08bf8bb1e807 (patch) | |
| tree | 0e3f47b6194e426a0ab24f38579f1649f0ca79bf /tests | |
| parent | 0338c7b2504616e1b89ac21a4e1b5e460a42fec6 (diff) | |
| download | dotemacs-6660b0dc2a6e32aa4c4aec910a6a08bf8bb1e807.tar.gz dotemacs-6660b0dc2a6e32aa4c4aec910a6a08bf8bb1e807.zip | |
fix(markdown): vendor strapdown.js instead of a plain-HTTP CDN
The live markdown preview pulled strapdown.js from http://ndossougbe.github.io over plain HTTP. That broke the preview with no network, loaded third-party JS over an unencrypted connection (mixed content, MITM), and trusted an unmaintained github.io page against the localhost preview.
I vendored the self-contained bundle (jQuery, marked, bootstrap themes) into assets/strapdown.js and embed it inline. The whole preview now serves from localhost and works offline. cj/markdown-html reads the file once and caches it.
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/test-markdown-config.el | 21 |
1 files changed, 20 insertions, 1 deletions
diff --git a/tests/test-markdown-config.el b/tests/test-markdown-config.el index edb20d357..e079a8b44 100644 --- a/tests/test-markdown-config.el +++ b/tests/test-markdown-config.el @@ -37,10 +37,29 @@ (let ((html (buffer-string))) (should (string-match-p "<!DOCTYPE html>" html)) (should (string-match-p "<xmp" html)) - (should (string-match-p "strapdown\\.js" html)) (should (string-match-p "some \\*\\*markdown\\*\\*" html))))) (kill-buffer src)))) +(ert-deftest test-markdown-html-vendors-strapdown-no-external-cdn () + "Normal: the preview embeds the vendored strapdown inline and references no +external CDN, so the preview works offline and doesn't load third-party JS over +plain HTTP." + (let ((src (generate-new-buffer " *md-cdn*"))) + (unwind-protect + (progn + (with-current-buffer src (insert "# Hello")) + (with-temp-buffer + (cj/markdown-html src) + (let ((html (buffer-string))) + ;; No external CDN of any kind. + (should-not (string-match-p "ndossougbe" html)) + (should-not (string-match-p "src=\"https?://" html)) + ;; Vendored strapdown is embedded inline (a bare <script> with the + ;; ~121KB bundle, not a <script src=...>). + (should (string-match-p "<script>" html)) + (should (> (length html) 100000))))) + (kill-buffer src)))) + (ert-deftest test-markdown-html-empty-source-buffer () "Boundary: an empty source buffer still yields the HTML shell." (let ((src (generate-new-buffer " *md-empty*"))) |
