Skip to content

fix: TTS sanitization (code-scanning #21) + repair broken Playwright e2e suite (#190)#191

Open
devartifex wants to merge 2 commits into
masterfrom
devartifex/fix-code-scanning-21
Open

fix: TTS sanitization (code-scanning #21) + repair broken Playwright e2e suite (#190)#191
devartifex wants to merge 2 commits into
masterfrom
devartifex/fix-code-scanning-21

Conversation

@devartifex
Copy link
Copy Markdown
Owner

@devartifex devartifex commented Jun 1, 2026
edited
Loading

This PR bundles two related maintenance fixes.

1. Code-scanning #21 — incomplete multi-character sanitization (TTS)

stripHtmlTags() in src/lib/stores/tts.svelte.ts removed HTML tags with a
single non-iterative regex pass, which could leave behind tag fragments on
crafted input (CodeQL js/incomplete-multi-character-sanitization). Replaced
with an iterative strip that runs until the string stabilizes.

2. Issue #190 — broken Playwright e2e suite

The e2e suite had been failing/timing out in CI. Two root causes:

  1. Rate limiting. hooks.server.ts capped requests at 200/15 min/IP
    unconditionally. The full suite issues far more than that from a single IP,
    so every request 429'd, the chat never loaded, and CI hit the 30-minute
    timeout. The cap is now configurable via RATE_LIMIT_MAX (0 disables) and
    set to 0 in the Playwright webServer env.

  2. Stale specs vs. UI redesigns. ~34 tests referenced removed/renamed markup
    and behavior:

    • voice mic button replacing the send button on empty input
    • TopBar connection dot removed; hamburger hidden on desktop (≥1024px)
    • persistent desktop Sidebar with renamed classes (.sidebar,
      .sidebar-backdrop)
    • SourcedAgentInfo agents shape (source/isSelected)
    • additionalInstructions settings field (was customInstructions)
    • usage message must precede turn_end
    • looser SSR auth regex (SSR now includes byokEnabled)

    Specs and helpers were updated to match the current components (added a
    viewport-aware openSidebar helper). Auth-flow tests additionally needed
    service workers blocked: the SW's controllerchange handler reloads the
    page, and the precached HTML dropped the test's auth patch, flipping back to
    the login screen.

Verification

  • All 126 desktop e2e tests pass locally (the --project=desktop matrix CI runs).
  • hooks.server.test.ts (20) and config.test.ts (14) unit tests pass.

Closes #190

@devartifex
fix: prevent incomplete HTML tag sanitization in TTS strip
d2f06d3 
Apply iterative tag removal to handle nested/split tags like
<scr<script>ipt> that survive a single-pass replace.

Fixes code-scanning alert #21 (js/incomplete-multi-character-sanitization).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
github-advanced-security[bot]
github-advanced-security AI found potential problems Jun 1, 2026
View reviewed changes
Comment thread src/lib/stores/tts.svelte.ts
function stripHtmlTags(text: string): string {
const tagPattern = /<[^>]*>/g;
let previous = text;
let result = text.replace(tagPattern, '');
@devartifex
fix: repair broken Playwright e2e suite (#190)
c6dfa70 
The e2e suite had been failing/timing out in CI. Two root causes:

1. Rate limiting: hooks.server.ts capped requests at 200/15min/IP
   unconditionally. The full suite issues far more than that from a
   single IP, so every request 429'd, the chat never loaded, and CI
   hit the 30-minute timeout. Made the cap configurable via
   RATE_LIMIT_MAX (0 disables) and set it to 0 in the Playwright
   webServer env and the CI e2e step.

2. Stale specs vs. UI redesigns: ~34 tests referenced removed/renamed
   markup and behavior (voice mic button, TopBar connection dot
   removal, persistent desktop Sidebar with renamed classes,
   SourcedAgentInfo agents shape, additionalInstructions settings
   field, usage-before-turn_end ordering, looser SSR auth regex).
   Updated the specs and helpers (added viewport-aware openSidebar)
   to match the current components.

   Auth-flow tests also needed service workers blocked: the SW's
   controllerchange handler reloads the page, and the precached HTML
   dropped the test's auth patch, flipping back to the login screen.

All 126 desktop e2e tests now pass.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@github-actions github-actions Bot added documentation Improvements or additions to documentation security Security related backend tests labels Jun 1, 2026
@devartifex devartifex changed the title fix: prevent incomplete HTML tag sanitization in TTS (code-scanning #21) fix: TTS sanitization (code-scanning #21) + repair broken Playwright e2e suite (#190) Jun 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

backend documentation Improvements or additions to documentation frontend security Security related tests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

CI: Playwright e2e suite has been broken since at least 2026-05-11

2 participants

@devartifex @github-advanced-security