Hacker News new | ask | show | jobs
by MajesticHobo2 58 days ago
I'd say also add a test that shows the HTML injection (which spurred the PR) isn't possible. Given an attacker-controlled URL of:

    foo onclick
the following shouldn't render:

    <a class="item muted sidebar-item-link" href=foo onclick>
The following should:

    <a class="item muted sidebar-item-link" href="foo onclick">
1 comments
kstrauser 58 days ago
Oh, for sure! That'd end the conversation: "your change breaks the existing tests. Fix that and we'll re-consider."
link