diff --git a/export/config/dok.export.php b/export/config/dok.export.php index df13e9d2..4ca03518 100644 --- a/export/config/dok.export.php +++ b/export/config/dok.export.php @@ -16,19 +16,19 @@ 'components' => [ 'note' => [ - 'template' => 'components.hint.hint' + 'template' => 'components.hint.hint', ], 'tip' => [ - 'template' => 'components.hint.hint' + 'template' => 'components.hint.hint', ], 'important' => [ - 'template' => 'components.hint.hint' + 'template' => 'components.hint.hint', ], 'caution' => [ - 'template' => 'components.hint.hint' + 'template' => 'components.hint.hint', ], 'warning' => [ - 'template' => 'components.hint.hint' + 'template' => 'components.hint.hint', ], 'lead' => [ 'template' => 'components.lead.lead', diff --git a/export/content/collections/dok_3x/test.md b/export/content/collections/dok_3x/test.md deleted file mode 100644 index a62262ac..00000000 --- a/export/content/collections/dok_3x/test.md +++ /dev/null @@ -1,398 +0,0 @@ ---- -id: bac29692-c875-4eb4-b2d4-c54e53370da1 -blueprint: dok_3x -title: Test -use_synced_content: false -updated_by: cbf6fa94-2658-4dec-9152-30c80d3c652c -updated_at: 1769275095 ---- -TODO - -[Decimal HTML Character References](javascript:alert('XSS')) - -[Decimal HTML Character References Without Trailing Semicolons](javascript:alert('XSS')) - -[Hexadecimal HTML Character References Without Trailing Semicolons](javascript:alert('XSS')) - -[Embedded Tab](jav ascript:alert('XSS')) - -[sadsd](jav ascript:alert(conso)) - -[asdasdsad]( javascript:alert('XSS') ) - - -what **the heck** - - -:::card title="" -what **the heck** -:::/card - -### Test 1: Basic JavaScript -:::card {href="javascript:alert('XSS')"} -Should be blocked - renders as DIV -::: - -### Test 2: JavaScript with encoding -:::card {href="jAvAsCrIpT:alert('XSS')"} -Should be blocked - case variation -::: - -### Test 3: Data URI -:::card {href="data:text/html,"} -Should be blocked -::: - -### Test 4: VBScript -:::card {href="vbscript:alert('XSS')"} -Should be blocked -::: - -### Test 5: File protocol -:::card {href="file:///etc/passwd"} -Should be blocked -::: - -### Test 6: JavaScript with HTML entities -:::card {href="java script:alert('XSS')"} -Should be blocked - tab character -::: - -### Test 7: JavaScript with line break -:::card {href="java -script:alert('XSS')"} -Should be blocked - newline -::: - -### Test 8: JavaScript with null byte -:::card {href="javascript�:alert('XSS')"} -Should be blocked -::: - -### Test 9: Safe HTTPS URL (Control) -:::card {href="https://example.com"} -Should WORK - renders as A tag -::: - -### Test 10: Safe relative URL (Control) -:::card {href="/dashboard"} -Should WORK - renders as A tag -::: - -### Test 11: Safe mailto (Control) -:::card {href="mailto:test@example.com"} -Should WORK if mailto is allowed -::: - -## Attribute Injection Tests - -### Test 12: Event handler in title -:::card {title="test\" onload=\"alert('XSS')"} -Should be escaped - no alert -::: - -### Test 13: Event handler in custom attribute -:::card {data-custom="test\" onclick=\"alert('XSS')"} -Should be escaped -::: - -### Test 14: Script in title -:::card {title=""} -Should be escaped - displays as text -::: - -### Test 15: Image onerror in title -:::card {title=""} -Should be escaped -::: - -### Test 16: Style injection -:::card {title="test\" style=\"position:fixed;top:0;left:0;width:100%;height:100%;background:red;z-index:9999"} -Should be escaped -::: - -## Icon Path Tests - -### Test 17: Path traversal -:::card {icon="../../etc/passwd"} -Should be blocked -::: - -### Test 18: Path traversal with encoding -:::card {icon="..%2f..%2fetc%2fpasswd"} -Should be blocked -::: - -### Test 19: Safe icon (Control) -:::card {icon="icon/info"} -Should WORK -::: - -## Slot Content Tests - -### Test 20: Script tag in slot -:::card - -::: - - -### Test 21: Image onerror in slot -:::card - -::: - - -### Test 22: SVG with script -:::card - -::: - -### Test 23: Iframe injection -:::card -
Click me
-::: - - - -## Edge Cases - -### Test 27: Multiple dangerous attributes -:::card {href="javascript:alert(1)" title="" onclick="alert(3)"} -All should be blocked/escaped -::: - -### Test 28: Empty href -:::card {href=""} -Should render as DIV -::: - -### Test 29: Whitespace in href -:::card {href=" javascript:alert('XSS') "} -Should be blocked (after trim) -::: - -### Test 30: Unicode in JavaScript -:::card {href="\u006a\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074:alert('XSS')"} -Should be blocked -::: - -### Test 31: HTML entities in href -:::card {href="javascript:alert('XSS')"} -Should be blocked -::: - -### Test 32: Mixed case with encoding -:::card {href="JaVaScRiPt:alert('XSS')"} -Should be blocked -::: - - - - -:::cardgroup - -:::card icon="icon/download" title="Installation" href="/docs/3.x/installation" -Get started with writing your documentation site. - -:::slot.cta -Get started with Dok -:::/slot -:::/card - -:::card icon="icon/coins" title="Purchase" href="https://statamic.com/starter-kits/fawn/dok-documentation" -Not got a licence yet? You can buy Dok from the Statamic marketplace. - -:::slot.cta -View on the marketplace -:::/slot - -:::/card - -:::/cardgroup - - - - - - - - \ No newline at end of file diff --git a/export/resources/css/base/prose/prose-lists.css b/export/resources/css/base/prose/prose-lists.css index 89492e64..a0394634 100644 --- a/export/resources/css/base/prose/prose-lists.css +++ b/export/resources/css/base/prose/prose-lists.css @@ -45,14 +45,6 @@ @layer prose.children { .prose { - /* TODO: Test this, this has weird behaviour */ - /* :where(ul ul, ol ol, ul ol, ol, ul):not( - :where(.not-prose, .not-prose *) - ) { - margin-top: --spacing(4); - margin-bottom: --spacing(10); - } */ - /* Give paragraphs less space because we're in a list */ :where(ul > li p, ol > li p):not(:where(.not-prose, .not-prose *)) { margin-top: --spacing(2); diff --git a/export/resources/js/tests/accessibility.test.js b/export/resources/js/tests/accessibility.test.js index d954bf8c..3b29cfb0 100644 --- a/export/resources/js/tests/accessibility.test.js +++ b/export/resources/js/tests/accessibility.test.js @@ -1,4 +1,3 @@ -// accessibility.test.ts TODO import { describe, it, expect, beforeAll, afterAll } from "vitest"; import { chromium } from "playwright"; import { injectAxe, checkA11y } from "axe-playwright"; diff --git a/export/vite.config.js b/export/vite.config.js index ed103a03..f97ffd8f 100644 --- a/export/vite.config.js +++ b/export/vite.config.js @@ -6,7 +6,6 @@ import statamic from '@statamic/cms/vite-plugin'; export default defineConfig({ plugins: [ - // TODO had to add statamic here?? statamic(), laravel({ input: [