diff options
| author | Craig Jennings <c@cjennings.net> | 2026-06-30 17:25:50 -0400 |
|---|---|---|
| committer | Craig Jennings <c@cjennings.net> | 2026-06-30 17:25:50 -0400 |
| commit | f53aaf2d6278a219dd19e4f40f2a4c3696ec838a (patch) | |
| tree | 219ddb8da596a6483933cfc731525d92551966e1 /tests | |
| parent | 41ff75b6c69df674214219ee82f38c9fe601b9d5 (diff) | |
| download | dotemacs-f53aaf2d6278a219dd19e4f40f2a4c3696ec838a.tar.gz dotemacs-f53aaf2d6278a219dd19e4f40f2a4c3696ec838a.zip | |
fix(markdown): vendor strapdown.js instead of a plain-HTTP CDN
The live markdown preview pulled strapdown.js from http://ndossougbe.github.io over plain HTTP. That broke the preview with no network, loaded third-party JS over an unencrypted connection (mixed content, MITM), and trusted an unmaintained github.io page against the localhost preview.
I vendored the self-contained bundle (jQuery, marked, bootstrap themes) into assets/strapdown.js and embed it inline. The whole preview now serves from localhost and works offline. cj/markdown-html reads the file once and caches it.
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/test-markdown-config.el | 21 |
1 files changed, 20 insertions, 1 deletions
diff --git a/tests/test-markdown-config.el b/tests/test-markdown-config.el index edb20d35..e079a8b4 100644 --- a/tests/test-markdown-config.el +++ b/tests/test-markdown-config.el @@ -37,10 +37,29 @@ (let ((html (buffer-string))) (should (string-match-p "<!DOCTYPE html>" html)) (should (string-match-p "<xmp" html)) - (should (string-match-p "strapdown\\.js" html)) (should (string-match-p "some \\*\\*markdown\\*\\*" html))))) (kill-buffer src)))) +(ert-deftest test-markdown-html-vendors-strapdown-no-external-cdn () + "Normal: the preview embeds the vendored strapdown inline and references no +external CDN, so the preview works offline and doesn't load third-party JS over +plain HTTP." + (let ((src (generate-new-buffer " *md-cdn*"))) + (unwind-protect + (progn + (with-current-buffer src (insert "# Hello")) + (with-temp-buffer + (cj/markdown-html src) + (let ((html (buffer-string))) + ;; No external CDN of any kind. + (should-not (string-match-p "ndossougbe" html)) + (should-not (string-match-p "src=\"https?://" html)) + ;; Vendored strapdown is embedded inline (a bare <script> with the + ;; ~121KB bundle, not a <script src=...>). + (should (string-match-p "<script>" html)) + (should (> (length html) 100000))))) + (kill-buffer src)))) + (ert-deftest test-markdown-html-empty-source-buffer () "Boundary: an empty source buffer still yields the HTML shell." (let ((src (generate-new-buffer " *md-empty*"))) |
