Add test case about HTML injection for rendering <figcaption>

marp-team · Sep 9, 2023 · a4318b3 · a4318b3
1 parent 33240f9
commit a4318b3
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/test/markdown/background_image.js b/test/markdown/background_image.js
@@ -212,6 +212,7 @@ describe('Marpit background image plugin', () => {
           ![bg fit  The background image](A)
           ![This is bg 20% w:40% xxxxx](B)
           ![    bg      ](C)
+          ![bg <b>should <br /> escape</b>](D)
         `),
       )
       const figures = $('figure')
@@ -222,7 +223,14 @@ describe('Marpit background image plugin', () => {
       )
       expect(figures.eq(1).is(':has(figcaption)')).toBe(true)
       expect(figures.eq(1).find('figcaption').text()).toBe('This is xxxxx')
+
+      // Ignore whitespaces
       expect(figures.eq(2).is(':has(figcaption)')).toBe(false)
+
+      // XSS
+      expect(figures.eq(3).is(':has(figcaption)')).toBe(true)
+      expect(figures.eq(3).is(':has(b)')).toBe(false)
+      expect(figures.eq(3).is(':has(br)')).toBe(false)
     })
 
     it('assigns background-size style with resizing keyword / scale', () => {