fix(pdf): Segoe UI everywhere + rich-text colors survive sanitization
- section/Quill overrides, footers and the shared header now lead with 'Segoe UI' (installed on prod) instead of Tahoma (not installed — prod silently rendered sections and footers in Noto Sans, mismatching the Segoe UI body; dev previews showed real Tahoma and never matched prod) - cleanQuillHtml no longer deletes ALL style attributes: color and background-color survive with strictly validated literal values (hex, rgb/rgba, keyword) so editor font colors finally reach the PDF; url(), expression() and every other declaration are still stripped — new test file pins both the kept colors and the attack vectors Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
44
src/__tests__/pdf-shared.test.ts
Normal file
44
src/__tests__/pdf-shared.test.ts
Normal file
@@ -0,0 +1,44 @@
|
||||
import { describe, it, expect } from "vitest";
|
||||
import { cleanQuillHtml } from "../utils/pdf-shared";
|
||||
|
||||
describe("cleanQuillHtml — inline-style whitelist", () => {
|
||||
it("keeps Quill text and background colors", () => {
|
||||
const html =
|
||||
'<p><span style="color: rgb(230, 0, 0);">červeně</span> ' +
|
||||
'<span style="background-color: #ffff00;">zvýrazněně</span> ' +
|
||||
'<span style="color: #06c;">modře</span></p>';
|
||||
const out = cleanQuillHtml(html);
|
||||
expect(out).toContain('style="color: rgb(230, 0, 0)"');
|
||||
expect(out).toContain('style="background-color: #ffff00"');
|
||||
expect(out).toContain('style="color: #06c"');
|
||||
});
|
||||
|
||||
it("drops every non-color style declaration", () => {
|
||||
const out = cleanQuillHtml(
|
||||
'<span style="position: fixed; color: red; font-size: 99px;">x</span>',
|
||||
);
|
||||
expect(out).toBe('<span style="color: red">x</span>');
|
||||
});
|
||||
|
||||
it("drops unsafe color values (url, expression, quotes)", () => {
|
||||
expect(
|
||||
cleanQuillHtml('<span style="color: url(javascript:alert(1))">x</span>'),
|
||||
).toBe("<span>x</span>");
|
||||
expect(
|
||||
cleanQuillHtml('<span style="color: expression(alert(1))">x</span>'),
|
||||
).toBe("<span>x</span>");
|
||||
expect(cleanQuillHtml("<span style='color: \"red\"'>x</span>")).toBe(
|
||||
"<span>x</span>",
|
||||
);
|
||||
});
|
||||
|
||||
it("keeps stripping scripts, event handlers and js: URLs", () => {
|
||||
const out = cleanQuillHtml(
|
||||
'<p onclick="alert(1)"><script>alert(1)</script>' +
|
||||
'<a href="javascript:alert(1)">x</a></p>',
|
||||
);
|
||||
expect(out).not.toContain("script");
|
||||
expect(out).not.toContain("onclick");
|
||||
expect(out).not.toContain("javascript:");
|
||||
});
|
||||
});
|
||||
Reference in New Issue
Block a user