mirror of
https://github.com/EKKOLearnAI/hermes-web-ui.git
synced 2026-05-25 21:40:13 +00:00
ekko
477af66232
* feat(chat): polish syntax highlighting and tool payload rendering (#94) * [verified] feat(chat): polish syntax highlighting and tool payload rendering * [verified] fix(chat): tighten large tool payload rendering * docs: update data volume path in Docker docs Align documentation with docker-compose.yml change: hermes-web-ui-data -> hermes-web-ui, /app/dist/data -> /root/.hermes-web-ui Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * refactor: bundle server build and restructure service modules - Add build-server.mjs script for standalone server compilation - Add logger service with structured output - Restructure auth, gateway-manager, hermes-cli, hermes services - Update docker-compose volume mount path - Update tsconfig and entry point for bundled server Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * refactor: separate controllers from routes and centralize route registration - Extract business logic from route handlers into controllers/ - Add centralized route registry in routes/index.ts with public/auth/protected layers - Replace global auth whitelist with sequential middleware registration - Extract shared helpers to services/config-helpers.ts - Allow custom provider name to be user-editable in ProviderFormModal - Deduplicate custom providers by poolKey instead of base_url in getAvailable Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: auth bypass via path case, SPA serving, and provider improvements - Fix auth bypass: path case-insensitive check for /api, /v1, /upload - Fix SPA returning 401: skip auth for non-API paths (static files) - Fix profile switch: use local loading state instead of shared store ref - Auto-append /v1 to base_url when fetching models (frontend + backend) - Guard .env writing to built-in providers only - Add builtin field to provider presets, enable base_url input in form - Print auth token to console on startup (pino only writes to file) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Zhicheng Han <43314240+hanzckernel@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
40 lines
1.3 KiB
TypeScript
40 lines
1.3 KiB
TypeScript
import { describe, expect, it } from 'vitest'
|
|
|
|
import { renderHighlightedCodeBlock } from '@/components/hermes/chat/highlight'
|
|
|
|
describe('highlight safety', () => {
|
|
it('escapes large unknown code content', () => {
|
|
const html = renderHighlightedCodeBlock('<img src=x onerror=alert(1)>'.repeat(100), 'unknown', 'Copy')
|
|
|
|
expect(html).toContain('<img')
|
|
expect(html).not.toContain('<img')
|
|
})
|
|
|
|
it('does not emit executable HTML for known-language code', () => {
|
|
const html = renderHighlightedCodeBlock('<script>alert(1)</script>', 'xml', 'Copy')
|
|
|
|
expect(html).not.toContain('<script>')
|
|
expect(html).toContain('<')
|
|
})
|
|
|
|
it('escapes the language label', () => {
|
|
const html = renderHighlightedCodeBlock('x'.repeat(5000), '<script>alert(1)</script>', 'Copy')
|
|
|
|
expect(html).toContain('<script>alert(1)</script>')
|
|
expect(html).not.toContain('<script>')
|
|
})
|
|
|
|
it('sanitizes the language class', () => {
|
|
const html = renderHighlightedCodeBlock('x'.repeat(5000), 'foo bar"><img', 'Copy')
|
|
|
|
expect(html).toContain('language-foo-bar---img')
|
|
})
|
|
|
|
it('escapes the copy label', () => {
|
|
const html = renderHighlightedCodeBlock('x', 'json', 'Copy <now>')
|
|
|
|
expect(html).toContain('Copy <now>')
|
|
expect(html).not.toContain('Copy <now>')
|
|
})
|
|
})
|