← Back to context

Comment by MajesticHobo2

14 hours ago

I'd say also add a test that shows the HTML injection (which spurred the PR) isn't possible. Given an attacker-controlled URL of:

    foo onclick

the following shouldn't render:

    <a class="item muted sidebar-item-link" href=foo onclick>

The following should:

    <a class="item muted sidebar-item-link" href="foo onclick">

1 comment

MajesticHobo2

Reply
kstrauser  14 hours ago

Oh, for sure! That'd end the conversation: "your change breaks the existing tests. Fix that and we'll re-consider."