malpercio.dev / atbb
WIP! A BB-style forum, on the ATmosphere! We're still working... we'll be back soon when we have something to show off!
node typescript hono htmx atproto
4
fork

Configure Feed

Select the types of activity you want to include in your feed.

fix(web): tighten sanitization assertions to --name: format, restore var(--color-bg) in preview template (ATB-59)

Malpercio f6c845c1 d5042285

+6 -3
+5 -2
apps/web/src/routes/__tests__/admin-themes.test.tsx
··· 314 314 expect(html).not.toContain("--injected"); 315 315 // The entire dirty value must be dropped — not just the injected suffix 316 316 // (a partial-strip bug would output '--color-bg: red' which looks safe) 317 - expect(html).not.toContain("--color-bg"); 317 + // Uses colon suffix to match the tokensToCss declaration format (--name: value) 318 + // and avoid false matches on var(--color-bg) references in the template HTML 319 + expect(html).not.toContain("--color-bg:"); 318 320 }); 319 321 320 322 it("drops token values containing '}' (CSS block-escape injection prevention)", async () => { ··· 338 340 // The injected block-escape value must not appear 339 341 expect(html).not.toContain("red} body"); 340 342 // The entire dirty value must be dropped — not just the injected suffix 341 - expect(html).not.toContain("--color-bg"); 343 + // (colon suffix matches tokensToCss format; avoids false match on var(--color-bg) in template) 344 + expect(html).not.toContain("--color-bg:"); 342 345 }); 343 346 344 347 it("returns an empty-token preview fragment when no tokens are submitted (does not crash)", async () => {
+1 -1
apps/web/src/routes/admin-themes.tsx
··· 192 192 <input 193 193 type="text" 194 194 placeholder="Reply…" 195 - style="font-family:var(--font-body);font-size:var(--font-size-base);border:var(--input-border);border-radius:var(--input-radius);padding:var(--space-sm) var(--space-md);width:100%;box-sizing:border-box;background:var(--color-surface);color:var(--color-text);margin-bottom:var(--space-sm);" 195 + style="font-family:var(--font-body);font-size:var(--font-size-base);border:var(--input-border);border-radius:var(--input-radius);padding:var(--space-sm) var(--space-md);width:100%;box-sizing:border-box;background:var(--color-bg);color:var(--color-text);margin-bottom:var(--space-sm);" 196 196 /> 197 197 <div style="display:flex;gap:var(--space-sm);flex-wrap:wrap;"> 198 198 <button