From 863950eb256691b74f7b3c786e8dc5006705a10e Mon Sep 17 00:00:00 2001 From: Claude Date: Wed, 24 Jun 2026 23:50:44 -0400 Subject: [PATCH] =?UTF-8?q?test(ui):=20React=20parity=20=E2=80=94=20danger?= =?UTF-8?q?ouslySetInnerHTML=20/=20RawHTML=20in=20SSR?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Ports React's ReactDOMServerIntegrationElements dangerouslySetInnerHTML behavior, adapted to GWC's html.RawHTML (renders raw markup but sanitizes by default — a safety improvement over React's raw injection): - safe markup is preserved - keep")); strings.Contains(parseGot, ": %q", parseGot) + } + + // A javascript: href is stripped by the sanitizer. + if parseGot := render(html.RawHTML(`x`)); strings.Contains(strings.ToLower(parseGot), "javascript:") { + t.Errorf("RawHTML did not strip javascript: href: %q", parseGot) + } + + // An on*= handler is stripped. + if parseGot := render(html.RawHTML(``)); strings.Contains(strings.ToLower(parseGot), "onerror") { + t.Errorf("RawHTML did not strip on*= handler: %q", parseGot) + } + + // RawHTMLUnsafe renders verbatim (no sanitization). + if parseGot := render(html.RawHTMLUnsafe("raw")); parseGot != "
raw
" { + t.Errorf("RawHTMLUnsafe = %q, want
raw
", parseGot) + } +}