Mirrors/mealie
1
0
Fork 0
mirror of https://github.com/mealie-recipes/mealie.git synced 2026-06-01 22:50:26 -04:00
Code Issues Packages Projects Releases Wiki Activity

fix: harden recipe content against stored XSS (chips, instructions, asset media) (#7719)

Browse Source
This commit is contained in:
Hayden
2026-05-31 11:14:16 -05:00
committed by GitHub
parent 48752bcd06
commit 2d8b74282a
15 changed files with 362 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
tests/unit_tests/test_config.py
View File

@@ -27,6 +27,31 @@ def test_non_default_settings(monkeypatch):
assert app_settings.DOCS_URL is None
def test_allowed_iframe_hosts_defaults(monkeypatch):
monkeypatch.delenv("ALLOWED_IFRAME_HOSTS", raising=False)
get_app_settings.cache_clear()
app_settings = get_app_settings()
# Secure defaults are always present and never empty (empty would disable iframe embeds).
assert "youtube.com" in app_settings.allowed_iframe_hosts
assert "vimeo.com" in app_settings.allowed_iframe_hosts
def test_allowed_iframe_hosts_extends_defaults(monkeypatch):
monkeypatch.setenv("ALLOWED_IFRAME_HOSTS", " Example.com , trusted.tld ,, ")
get_app_settings.cache_clear()
app_settings = get_app_settings()
hosts = app_settings.allowed_iframe_hosts
# Configured hosts are normalized, blanks dropped, and defaults retained.
assert "example.com" in hosts
assert "trusted.tld" in hosts
assert "youtube.com" in hosts
assert "" not in hosts
# No duplicates.
assert len(hosts) == len(set(hosts))
def test_default_connection_args(monkeypatch):
monkeypatch.setenv("DB_ENGINE", "sqlite")
get_app_settings.cache_clear()