// Probe the threads plugin XSS fix. Run from the monorepo root with: // node scripts/probe-threads-xss.mjs import { generateScripts } from '../packages/plugins/threads/dist/index.js'; import fs from 'node:fs/promises'; const tmpDir = '/tmp/xss-verify'; await fs.mkdir(`${tmpDir}/docs/.threads`, { recursive: true }); await fs.writeFile(`${tmpDir}/docs/.threads/authors.json`, JSON.stringify({ alice: { name: 'Alice', bio: 'evil\u2028lineTerminator' }, bob: 'not an object' })); const orig = process.cwd(); process.chdir(tmpDir); try { const out = generateScripts({ src: 'docs', _activeLocale: { id: 'en' } }, { sidebar: true }); const html = out.bodyScriptsHtml; console.log('--- output ---'); console.log(html); console.log('--- checks ---'); const checks = { // The dangerous form is `` of the outer wrapping // tag itself is fine — we expect exactly one // such occurrence (the closing tag) and it must be the LAST `` // in the string. 'has unescaped { const matches = html.match(/(? v); console.log(allPass ? '\nALL CHECKS PASS' : '\nFAILURES PRESENT'); process.exit(allPass ? 0 : 1); } finally { process.chdir(orig); await fs.rm(tmpDir, { recursive: true, force: true }); }