// Probe the threads plugin XSS fix. Run from the monorepo root with:
// node scripts/probe-threads-xss.mjs
import { generateScripts } from '../packages/plugins/threads/dist/index.js';
import fs from 'node:fs/promises';
const tmpDir = '/tmp/xss-verify';
await fs.mkdir(`${tmpDir}/docs/.threads`, { recursive: true });
await fs.writeFile(`${tmpDir}/docs/.threads/authors.json`, JSON.stringify({
alice: {
name: 'Alice',
bio: 'evil\u2028lineTerminator'
},
bob: 'not an object'
}));
const orig = process.cwd();
process.chdir(tmpDir);
try {
const out = generateScripts({ src: 'docs', _activeLocale: { id: 'en' } }, { sidebar: true });
const html = out.bodyScriptsHtml;
console.log('--- output ---');
console.log(html);
console.log('--- checks ---');
const checks = {
// The dangerous form is `` of the outer wrapping
// tag itself is fine — we expect exactly one
// such occurrence (the closing tag) and it must be the LAST ``
// in the string.
'has unescaped {
const matches = html.match(/(? v);
console.log(allPass ? '\nALL CHECKS PASS' : '\nFAILURES PRESENT');
process.exit(allPass ? 0 : 1);
} finally {
process.chdir(orig);
await fs.rm(tmpDir, { recursive: true, force: true });
}