aboutsummaryrefslogtreecommitdiff
path: root/tests
diff options
context:
space:
mode:
authorCraig Jennings <c@cjennings.net>2026-06-30 17:25:50 -0400
committerCraig Jennings <c@cjennings.net>2026-06-30 17:25:50 -0400
commitf53aaf2d6278a219dd19e4f40f2a4c3696ec838a (patch)
tree219ddb8da596a6483933cfc731525d92551966e1 /tests
parent41ff75b6c69df674214219ee82f38c9fe601b9d5 (diff)
downloaddotemacs-f53aaf2d6278a219dd19e4f40f2a4c3696ec838a.tar.gz
dotemacs-f53aaf2d6278a219dd19e4f40f2a4c3696ec838a.zip
fix(markdown): vendor strapdown.js instead of a plain-HTTP CDN
The live markdown preview pulled strapdown.js from http://ndossougbe.github.io over plain HTTP. That broke the preview with no network, loaded third-party JS over an unencrypted connection (mixed content, MITM), and trusted an unmaintained github.io page against the localhost preview. I vendored the self-contained bundle (jQuery, marked, bootstrap themes) into assets/strapdown.js and embed it inline. The whole preview now serves from localhost and works offline. cj/markdown-html reads the file once and caches it.
Diffstat (limited to 'tests')
-rw-r--r--tests/test-markdown-config.el21
1 files changed, 20 insertions, 1 deletions
diff --git a/tests/test-markdown-config.el b/tests/test-markdown-config.el
index edb20d35..e079a8b4 100644
--- a/tests/test-markdown-config.el
+++ b/tests/test-markdown-config.el
@@ -37,10 +37,29 @@
(let ((html (buffer-string)))
(should (string-match-p "<!DOCTYPE html>" html))
(should (string-match-p "<xmp" html))
- (should (string-match-p "strapdown\\.js" html))
(should (string-match-p "some \\*\\*markdown\\*\\*" html)))))
(kill-buffer src))))
+(ert-deftest test-markdown-html-vendors-strapdown-no-external-cdn ()
+ "Normal: the preview embeds the vendored strapdown inline and references no
+external CDN, so the preview works offline and doesn't load third-party JS over
+plain HTTP."
+ (let ((src (generate-new-buffer " *md-cdn*")))
+ (unwind-protect
+ (progn
+ (with-current-buffer src (insert "# Hello"))
+ (with-temp-buffer
+ (cj/markdown-html src)
+ (let ((html (buffer-string)))
+ ;; No external CDN of any kind.
+ (should-not (string-match-p "ndossougbe" html))
+ (should-not (string-match-p "src=\"https?://" html))
+ ;; Vendored strapdown is embedded inline (a bare <script> with the
+ ;; ~121KB bundle, not a <script src=...>).
+ (should (string-match-p "<script>" html))
+ (should (> (length html) 100000)))))
+ (kill-buffer src))))
+
(ert-deftest test-markdown-html-empty-source-buffer ()
"Boundary: an empty source buffer still yields the HTML shell."
(let ((src (generate-new-buffer " *md-empty*")))