etherpad-lite/src/tests
John McLear 01500ca70c
chore(deps): vendor the unmaintained security escaper into core (#7993)
* chore(deps): vendor the unmaintained `security` escaper into core

The `security` npm package (escapeHTML / escapeHTMLAttribute and the JS/CSS
encoders) has had no release since 2012, yet it sits directly in Etherpad's
client-side XSS-defense path (pad_utils, domline) and the server-side HTML
export. Rather than keep a 14-year-old, single-maintainer dependency guarding
output encoding, vendor its implementation into core.

- static/js/security.ts now contains the escaping logic directly (reproduced
  verbatim from security@1.0.0, MIT, Chad Weider — byte-identical output) and
  no longer does `require('security')`. The full public API is preserved, so
  plugins that `require('ep_etherpad-lite/static/js/security')` keep working
  unchanged.
- pad_utils.ts requires the local './security' module instead of the bare
  'security' specifier (domline.ts and ExportHtml.ts already did).
- Drop `security` from src/package.json dependencies and from Minify's
  LIBRARY_WHITELIST (no bare specifier is served to the browser anymore).

Added tests/backend/specs/security.ts locking the byte-for-byte escaping
output so the vendored copy can never silently drift.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* fix: use ESM named exports so vitest can resolve the security module

CI "Run the new vitest tests" failed with `Cannot find module './security'`
from pad_utils.ts. vitest/vite's CJS require() shim doesn't add a `.ts`
extension when resolving a relative specifier, so `require('./security')`
couldn't locate security.ts. (The old bare `require('security')` resolved to
a real .js in node_modules, which is why this only surfaced after vendoring.)

- security.ts now uses ESM `export const` for the seven helpers instead of a
  `module.exports = {...}` block.
- pad_utils.ts imports it as `import * as Security from './security'`, which
  goes through vite's resolver (knows .ts) and is also properly typed.

CJS consumers (domline.ts, ExportHtml.ts, the backend spec) keep working via
tsx/esbuild ESM->CJS interop. Verified: tsc clean, full vitest suite 721
passing, and the mocha security/export/import specs 27 passing.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* ci: force fresh run (prior run used a stale merge ref after reopen)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* fix: remove ReDoS in vendored JSON-string-literal regex

CodeQL flagged a high-severity exponential-backtracking alert on the
JSON-string-literal regex vendored from the `security` package:
`/"(?:\\.|[^"])*"/`. The `[^"]` class also matches a backslash, so it overlaps
with the `\\.` alternative and backtracks exponentially on adversarial input
like `"\!\!\!...` (no closing quote). The original lived inside node_modules so
it was never scanned; vendoring it surfaced the alert.

Fix to the canonical linear form `/"(?:[^"\\]|\\.)*"/`, where the backslash is
excluded from the character class so the two alternatives are mutually
exclusive. It matches exactly the same well-formed JSON string literals (and
encodeJavaScriptData only ever runs it over JSON.stringify output), so behaviour
is unchanged for valid input.

Added tests: encodeJavaScriptData output + a ReDoS guard that runs the regex
over 50k adversarial chars and asserts it returns in well under a second.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-22 09:56:40 +01:00
..
backend chore(deps): vendor the unmaintained security escaper into core (#7993) 2026-06-22 09:56:40 +01:00
backend-new fix(editor): tag inserts with clientVars author until userAuthor propagates (Firefox authorship flake) (#7910) 2026-06-08 20:41:13 +01:00
container chore(deps): drop three unmaintained dependencies (unorm, find-root, jsonminify) (#7992) 2026-06-22 09:53:27 +01:00
downstream ci(downstream): robust per-client error handling in run-clients.sh (#7927) 2026-06-09 14:31:05 +01:00
fixtures test: downstream client compatibility gate (Phase 1) (#7923) 2026-06-09 11:40:58 +01:00
frontend test(timeslider): port legacy mocha specs to Playwright, retire orphaned suite (#7949) 2026-06-12 12:14:39 +01:00
frontend-new fix(pad): keep token-less Delete pad reachable without pad-wide settings (#7959) (#7960) 2026-06-17 15:18:23 +01:00
ratelimit chore: updated clients to esm (#7627) 2026-04-28 21:46:49 +02:00
README.md restructure: move bin/ and tests/ to src/ 2021-02-04 17:15:08 -05:00
settings.json Add creator-owned pad settings defaults (#7545) 2026-04-19 11:13:44 +01:00

About this folder: Tests

Before running the tests, start an Etherpad instance on your machine.

Frontend

To run the frontend tests, point your browser to <yourdomainhere>/tests/frontend

Backend

To run the backend tests, run cd src and then npm test