');
});
});
+
+describe('Bitfield parser security', () => {
+ it('parses bitfield with unquoted keys', async () => {
+ const code = `[
+ { name: "IPO", bits: 8, attr: "RO" },
+ { bits: 7 }
+ ]`;
+ const result = await renderBitfield(code, {});
+ expect(typeof result).toBe('string');
+ expect(result).toContain(' {
+ const code = `[
+ { name: 'IPO', bits: 8, attr: 'RO' }
+ ]`;
+ const result = await renderBitfield(code, {});
+ expect(typeof result).toBe('string');
+ expect(result).toContain(' {
+ const code = `[
+ { name: "IPO", bits: 8, attr: "RO", },
+ { name: "BRK", bits: 5, attr: "RW", },
+ { bits: 7, },
+ ]`;
+ const result = await renderBitfield(code, {});
+ expect(typeof result).toBe('string');
+ expect(result).toContain(' {
+ const code = `[
+ // interrupt pending register
+ { name: "IPO", bits: 8, attr: "RO" },
+ { bits: 7 }
+ ]`;
+ const result = await renderBitfield(code, {});
+ expect(typeof result).toBe('string');
+ expect(result).toContain(' {
+ const code = `[
+ { name: "STATUS", bits: 8, addr: 0x0F }
+ ]`;
+ const result = await renderBitfield(code, {});
+ expect(typeof result).toBe('string');
+ expect(result).toContain(' {
+ const code = '(() => { throw new Error("pwned"); })()';
+ const result = await renderBitfield(code, {});
+ expect(result).toContain('');
+ });
+
+ it('blocks code execution via constructor access', async () => {
+ const code = 'this.constructor.constructor("return process")()';
+ const result = await renderBitfield(code, {});
+ expect(result).toContain('');
+ });
+});
diff --git a/test/browser/mathjax.spec.ts b/test/browser/mathjax.spec.ts
new file mode 100644
index 000000000..093137a67
--- /dev/null
+++ b/test/browser/mathjax.spec.ts
@@ -0,0 +1,183 @@
+import { expect, Page, test } from '@playwright/test';
+import { buildMathJaxConfigScript } from '../../src/markdown-engine/mathjax-config';
+import { getDefaultMathjaxConfig } from '../../src/notebook/types';
+import { startServer, TestServer } from './server';
+
+/**
+ * Real-browser tests for the client-side MathJax pipeline.
+ *
+ * - Equation numbering must stay correct across re-renders. The preview
+ * rebuilds the hidden DOM and re-typesets on every edit; without
+ * `typesetClear()` + `texReset()` MathJax keeps the previous run's labels
+ * and emits "Label … multiply defined" errors with drifting numbers.
+ * - Semantic enrichment (speech-rule-engine) must be disabled by default for
+ * performance (#2312), and re-enableable via `mathjaxConfig`.
+ */
+
+// Minimal shape of the MathJax global used inside page.evaluate callbacks.
+interface MathJaxGlobal {
+ typesetClear: () => void;
+ texReset: () => void;
+ typesetPromise: (elements: Element[]) => Promise;
+ startup: {
+ promise: Promise;
+ document: { options: Record };
+ };
+}
+
+type WindowWithMathJax = Window &
+ typeof globalThis & { MathJax: MathJaxGlobal };
+
+let server: TestServer;
+
+test.beforeAll(async () => {
+ server = await startServer();
+});
+
+test.afterAll(async () => {
+ await server?.close();
+});
+
+const NUMBERED_DOC =
+ '$$\\begin{equation}\\label{eq:one}a+b=c\\end{equation}$$
' +
+ '$$\\begin{equation}\\label{eq:two}d+e=f\\end{equation}$$
';
+
+function makeConfig(optionOverrides?: Record) {
+ const cfg = getDefaultMathjaxConfig() as Record;
+ cfg.tex = {
+ inlineMath: [['$', '$']],
+ displayMath: [['$$', '$$']],
+ tags: 'ams',
+ };
+ cfg.startup = { typeset: false };
+ if (optionOverrides) {
+ cfg.options = {
+ ...((cfg.options as Record) || {}),
+ ...optionOverrides,
+ };
+ }
+ return cfg;
+}
+
+/**
+ * Load a fresh MathJax instance into the page using the engine's real
+ * `buildMathJaxConfigScript` output, then wait for startup to finish.
+ */
+async function loadMathJax(page: Page, config: Record) {
+ await page.goto(server.url);
+ page.on('pageerror', (e) => {
+ throw e;
+ });
+ await page.addScriptTag({ content: buildMathJaxConfigScript(config) });
+ await page.addScriptTag({ url: `${server.url}/mathjax/tex-mml-chtml.js` });
+ await page.evaluate(async () => {
+ await (window as WindowWithMathJax).MathJax.startup.promise;
+ });
+}
+
+/** Render the doc `rounds` times, mirroring the preview's renderMathJax. */
+async function renderRounds(
+ page: Page,
+ html: string,
+ withReset: boolean,
+ rounds: number = 3,
+) {
+ return page.evaluate(
+ async ({ html, withReset, rounds }) => {
+ const MathJax = (window as WindowWithMathJax).MathJax;
+ const hidden = document.getElementById('hidden')!;
+ const results: { tags: string[]; errors: string[] }[] = [];
+ for (let r = 0; r < rounds; r++) {
+ hidden.innerHTML = html;
+ if (withReset) {
+ MathJax.typesetClear();
+ MathJax.texReset();
+ }
+ await MathJax.typesetPromise([hidden]);
+ // CHTML renders each equation's number inside an element,
+ // e.g. "(1)".
+ const tags = [...hidden.querySelectorAll('mjx-labels')]
+ .map((n) => (n.textContent || '').trim())
+ .filter((t) => /^\(\d+\)$/.test(t));
+ const errors = [...hidden.querySelectorAll('mjx-merror')].map(
+ (n) => n.getAttribute('data-mjx-error') || n.textContent || '',
+ );
+ results.push({ tags, errors });
+ hidden.innerHTML = '';
+ }
+ return results;
+ },
+ { html, withReset, rounds },
+ );
+}
+
+test('equation numbering is stable across re-renders (with typesetClear/texReset)', async ({
+ page,
+}) => {
+ await loadMathJax(page, makeConfig());
+ const rounds = await renderRounds(page, NUMBERED_DOC, true);
+
+ for (const [i, round] of rounds.entries()) {
+ expect(round.errors, `render #${i} should have no MathJax errors`).toEqual(
+ [],
+ );
+ // Two numbered equations → tags (1) and (2), reset to the same values
+ // on every render.
+ expect(round.tags, `render #${i} equation numbers`).toEqual(['(1)', '(2)']);
+ }
+});
+
+test('dropping typesetClear/texReset regresses numbering (guards why we keep them)', async ({
+ page,
+}) => {
+ await loadMathJax(page, makeConfig());
+ const rounds = await renderRounds(page, NUMBERED_DOC, false);
+
+ // First render is clean; the regression shows up once the same labels are
+ // typeset again without resetting MathJax's label/equation state.
+ const laterErrors = rounds.slice(1).flatMap((r) => r.errors);
+ expect(laterErrors.join('\n')).toMatch(/multiply defined/i);
+});
+
+test('semantic enrichment is disabled by default for performance (#2312)', async ({
+ page,
+}) => {
+ await loadMathJax(page, makeConfig());
+ await renderRounds(page, NUMBERED_DOC, true, 1);
+
+ const state = await page.evaluate(() => {
+ const MathJax = (window as WindowWithMathJax).MathJax;
+ const hidden = document.getElementById('hidden')!;
+ // Re-render so we can inspect the output DOM for enrichment artifacts.
+ hidden.innerHTML = '$$x^2 + y^2 = z^2$$
';
+ return MathJax.typesetPromise([hidden]).then(() => ({
+ enableEnrichment: MathJax.startup.document.options.enableEnrichment,
+ semanticNodes: hidden.querySelectorAll(
+ '[data-semantic-id], [data-semantic-speech], mjx-assistive-mml',
+ ).length,
+ }));
+ });
+
+ expect(state.enableEnrichment).toBe(false);
+ // Enrichment off → no semantic tree / assistive MathML generated.
+ expect(state.semanticNodes).toBe(0);
+});
+
+test('semantic enrichment can be re-enabled via mathjaxConfig', async ({
+ page,
+}) => {
+ await loadMathJax(page, makeConfig({ enableEnrichment: true }));
+
+ const enableEnrichment = await page.evaluate(() => {
+ const MathJax = (window as WindowWithMathJax).MathJax;
+ const hidden = document.getElementById('hidden')!;
+ hidden.innerHTML = '$$x^2 + y^2 = z^2$$
';
+ return MathJax.typesetPromise([hidden]).then(
+ () => MathJax.startup.document.options.enableEnrichment,
+ );
+ });
+
+ // The startup.ready hook must copy the user's override onto the live
+ // document (MathJax ignores it in the config block).
+ expect(enableEnrichment).toBe(true);
+});
diff --git a/test/browser/server.ts b/test/browser/server.ts
new file mode 100644
index 000000000..7f95bfc95
--- /dev/null
+++ b/test/browser/server.ts
@@ -0,0 +1,91 @@
+import * as fs from 'fs';
+import * as http from 'http';
+import * as path from 'path';
+
+const MATHJAX_DIR = path.resolve(__dirname, '../../node_modules/mathjax');
+const WAVEDROM_DIR = path.resolve(__dirname, '../../dependencies/wavedrom');
+
+const CONTENT_TYPES: Record = {
+ '.js': 'text/javascript; charset=utf-8',
+ '.mjs': 'text/javascript; charset=utf-8',
+ '.cjs': 'text/javascript; charset=utf-8',
+ '.json': 'application/json; charset=utf-8',
+ '.css': 'text/css; charset=utf-8',
+ '.wasm': 'application/wasm',
+ '.woff': 'font/woff',
+ '.woff2': 'font/woff2',
+ '.html': 'text/html; charset=utf-8',
+};
+
+const PAGE = `
+
+
+
+`;
+
+export interface TestServer {
+ url: string;
+ close(): Promise;
+}
+
+/**
+ * Serve a blank preview page at `/` and the locally installed MathJax 4
+ * package under `/mathjax/...` over real HTTP (so the speech-rule-engine's
+ * web worker, which won't run from a `file://` origin, works as it does in the
+ * actual webview).
+ */
+// URL prefix → on-disk root. Static assets are served from these so MathJax's
+// component loader and WaveDrom's skins resolve their siblings over real HTTP.
+const STATIC_MOUNTS: { prefix: string; root: string }[] = [
+ { prefix: '/mathjax/', root: MATHJAX_DIR },
+ { prefix: '/wavedrom/', root: WAVEDROM_DIR },
+];
+
+export async function startServer(): Promise {
+ const server = http.createServer((req, res) => {
+ const url = (req.url || '/').split('?')[0];
+ if (url === '/' || url === '/index.html') {
+ res.writeHead(200, { 'content-type': 'text/html; charset=utf-8' });
+ res.end(PAGE);
+ return;
+ }
+ const mount = STATIC_MOUNTS.find((m) => url.startsWith(m.prefix));
+ if (mount) {
+ const rel = decodeURIComponent(url.slice(mount.prefix.length));
+ // Resolve within the mount root and refuse path traversal.
+ const filePath = path.resolve(mount.root, rel);
+ if (!filePath.startsWith(mount.root)) {
+ res.writeHead(403);
+ res.end('forbidden');
+ return;
+ }
+ fs.readFile(filePath, (err, data) => {
+ if (err) {
+ res.writeHead(404);
+ res.end('not found');
+ return;
+ }
+ const type =
+ CONTENT_TYPES[path.extname(filePath)] || 'application/octet-stream';
+ res.writeHead(200, { 'content-type': type });
+ res.end(data);
+ });
+ return;
+ }
+ res.writeHead(404);
+ res.end('not found');
+ });
+
+ await new Promise((resolve) => server.listen(0, '127.0.0.1', resolve));
+ const address = server.address();
+ if (!address || typeof address === 'string') {
+ throw new Error('failed to bind test server');
+ }
+ return {
+ url: `http://127.0.0.1:${address.port}`,
+ close: () =>
+ new Promise((resolve, reject) =>
+ server.close((err) => (err ? reject(err) : resolve())),
+ ),
+ };
+}
diff --git a/test/browser/wavedrom.spec.ts b/test/browser/wavedrom.spec.ts
new file mode 100644
index 000000000..6a54a135d
--- /dev/null
+++ b/test/browser/wavedrom.spec.ts
@@ -0,0 +1,108 @@
+import { expect, Page, test } from '@playwright/test';
+import * as cheerio from 'cheerio';
+import { sanitizeRenderedHTML } from '../../src/markdown-engine/sanitize';
+import { startServer, TestServer } from './server';
+
+/**
+ * Real-browser tests for WaveDrom rendering and the eval-based code-execution
+ * fix (shd101wyy/vscode-markdown-preview-enhanced#2315).
+ *
+ * The bundled WaveDrom renderer (used in presentation mode and HTML export)
+ * runs `WaveDrom.ProcessAll()`, which evaluates the body of every
+ * `';
+
+const BENIGN_JSON5 =
+ '';
+
+test('UNSANITIZED malicious WaveDrom executes via ProcessAll (demonstrates the vuln)', async ({
+ page,
+}) => {
+ // This is the pre-fix behavior: ProcessAll's eval runs attacker JS. It
+ // guards *why* the sanitizer normalization below is necessary.
+ const result = await processAll(page, MALICIOUS);
+ expect(result.pwned).toBe(true);
+});
+
+test('SANITIZED malicious WaveDrom cannot execute (#2315 fix)', async ({
+ page,
+}) => {
+ // The IIFE is not valid WaveDrom data, so the sanitizer drops the script.
+ const safe = sanitize(MALICIOUS);
+ expect(safe).not.toContain('__pwned');
+ const result = await processAll(page, safe);
+ expect(result.pwned).toBe(false);
+ expect(result.hasWavedromScript).toBe(0);
+});
+
+test('SANITIZED benign WaveDrom still renders an SVG', async ({ page }) => {
+ // JSON5 (unquoted keys, single quotes) is normalized to strict JSON and
+ // then rendered by ProcessAll's eval — which only ever sees inert data.
+ const safe = sanitize(BENIGN_JSON5);
+ expect(safe).toContain('"signal"');
+ const result = await processAll(page, safe);
+ expect(result.pwned).toBe(false);
+ expect(result.svgCount).toBeGreaterThan(0);
+});
diff --git a/test/command-injection.test.ts b/test/command-injection.test.ts
new file mode 100644
index 000000000..3bc432266
--- /dev/null
+++ b/test/command-injection.test.ts
@@ -0,0 +1,157 @@
+/**
+ * Regression tests for Windows command injection via clicked preview links
+ * and diagram output filenames (reported by @byte16384).
+ *
+ * A crafted markdown link such as
+ * [x](mailto:hello@byte256.csrf.blog%26%20calc.exe)
+ * decodes to `mailto:hello@byte256.csrf.blog& calc.exe` and used to reach
+ * `child_process.exec('start ' + href)`, where cmd.exe interpreted `&` as a
+ * command separator — one-click RCE on Windows. `openFile` must never use a
+ * shell. Likewise the diagram `filename` attribute flows into image converters
+ * that shell out, so it must be sanitized.
+ */
+import * as child_process from 'child_process';
+import { openFile, sanitizeImageFilename } from '../src/utility';
+
+jest.mock('child_process', () => ({
+ execFile: jest.fn(),
+ exec: jest.fn(),
+}));
+
+const execFileMock = child_process.execFile as unknown as jest.Mock;
+const execMock = child_process.exec as unknown as jest.Mock;
+
+function withPlatform(platform: NodeJS.Platform, fn: () => void) {
+ const original = Object.getOwnPropertyDescriptor(process, 'platform');
+ Object.defineProperty(process, 'platform', {
+ value: platform,
+ configurable: true,
+ });
+ try {
+ fn();
+ } finally {
+ if (original) {
+ Object.defineProperty(process, 'platform', original);
+ }
+ }
+}
+
+describe('openFile never uses a shell (#byte16384 Windows RCE)', () => {
+ beforeEach(() => {
+ execFileMock.mockReset();
+ execMock.mockReset();
+ });
+
+ it('does not call child_process.exec on Windows', () => {
+ withPlatform('win32', () => {
+ openFile('mailto:hello@byte256.csrf.blog& calc.exe');
+ });
+ expect(execMock).not.toHaveBeenCalled();
+ expect(execFileMock).toHaveBeenCalledTimes(1);
+ });
+
+ it('passes a malicious href as a single, unsplit argument to explorer.exe', () => {
+ withPlatform('win32', () => {
+ openFile('mailto:hello@byte256.csrf.blog& calc.exe');
+ });
+ const [command, args] = execFileMock.mock.calls[0];
+ expect(command).toBe('explorer.exe');
+ // The whole string is one argument — no shell, so `&` cannot split a
+ // second command.
+ expect(args).toEqual(['mailto:hello@byte256.csrf.blog& calc.exe']);
+ });
+
+ it('keeps other shell metacharacters inside one argument', () => {
+ withPlatform('win32', () => {
+ openFile('http://x/?a=1 && calc.exe | whoami');
+ });
+ const [, args] = execFileMock.mock.calls[0];
+ expect(args).toHaveLength(1);
+ expect(args[0]).toBe('http://x/?a=1 && calc.exe | whoami');
+ });
+
+ it('normalizes a drive path to a file:// URI and opens via explorer.exe', () => {
+ withPlatform('win32', () => {
+ openFile('C:\\Users\\me\\report.pdf');
+ });
+ expect(execFileMock).toHaveBeenCalledWith('explorer.exe', [
+ 'file:///C:\\Users\\me\\report.pdf',
+ ]);
+ });
+
+ it('uses `open --` on macOS so a leading-dash arg is not a flag', () => {
+ withPlatform('darwin', () => {
+ openFile('-x');
+ });
+ expect(execMock).not.toHaveBeenCalled();
+ expect(execFileMock).toHaveBeenCalledWith('open', ['--', '-x']);
+ });
+
+ it('uses xdg-open (no shell) on Linux', () => {
+ withPlatform('linux', () => {
+ openFile('mailto:a& calc');
+ });
+ expect(execMock).not.toHaveBeenCalled();
+ expect(execFileMock).toHaveBeenCalledWith('xdg-open', ['mailto:a& calc']);
+ });
+});
+
+describe('sanitizeImageFilename (diagram export filename injection)', () => {
+ it('accepts plain file names', () => {
+ expect(sanitizeImageFilename('diagram.png')).toBe('diagram.png');
+ expect(sanitizeImageFilename('my-chart_v2.png')).toBe('my-chart_v2.png');
+ });
+
+ it('accepts a subdirectory path', () => {
+ expect(sanitizeImageFilename('assets/diagram.png')).toBe(
+ 'assets/diagram.png',
+ );
+ });
+
+ it('accepts non-ASCII (Unicode) filenames', () => {
+ // Unicode letters have no shell meaning; non-English filenames must work.
+ expect(sanitizeImageFilename('图表.png')).toBe('图表.png');
+ expect(sanitizeImageFilename('schéma_électrique.png')).toBe(
+ 'schéma_électrique.png',
+ );
+ expect(sanitizeImageFilename('диаграмма.png')).toBe('диаграмма.png');
+ expect(sanitizeImageFilename('assets/図.png')).toBe('assets/図.png');
+ });
+
+ it('accepts a leading-slash project-root path (MPE convention, not absolute)', () => {
+ // `/assets/x.png` means "relative to the project root" — the caller
+ // resolves it against projectDirectoryPath, not the filesystem root.
+ expect(sanitizeImageFilename('/assets/diagram.png')).toBe(
+ '/assets/diagram.png',
+ );
+ });
+
+ it('rejects shell metacharacters', () => {
+ expect(sanitizeImageFilename('x.png && calc.exe')).toBe('');
+ expect(sanitizeImageFilename('x.png; rm -rf /')).toBe('');
+ expect(sanitizeImageFilename('$(calc).png')).toBe('');
+ expect(sanitizeImageFilename('`calc`.png')).toBe('');
+ expect(sanitizeImageFilename('a|b.png')).toBe('');
+ expect(sanitizeImageFilename('"quoted".png')).toBe('');
+ });
+
+ it('rejects whitespace and control characters', () => {
+ expect(sanitizeImageFilename('my diagram.png')).toBe('');
+ expect(sanitizeImageFilename('a\tb.png')).toBe('');
+ expect(sanitizeImageFilename('a\nb.png')).toBe('');
+ expect(sanitizeImageFilename('a\x00b.png')).toBe('');
+ // Unicode RTL override (filename-spoofing / control) is rejected.
+ expect(sanitizeImageFilename('evilgnp.png')).toBe('');
+ });
+
+ it('rejects `..` path traversal (even with a leading slash)', () => {
+ expect(sanitizeImageFilename('../../etc/passwd')).toBe('');
+ expect(sanitizeImageFilename('a/../../b.png')).toBe('');
+ expect(sanitizeImageFilename('/../outside.png')).toBe('');
+ });
+
+ it('returns empty for empty/undefined input (caller falls back to default)', () => {
+ expect(sanitizeImageFilename(undefined)).toBe('');
+ expect(sanitizeImageFilename('')).toBe('');
+ });
+});
diff --git a/test/math.test.ts b/test/math.test.ts
index 87ce4838a..9ec3b3f29 100644
--- a/test/math.test.ts
+++ b/test/math.test.ts
@@ -11,7 +11,9 @@
* renderer's output.
*/
import * as path from 'path';
+import { buildMathJaxConfigScript } from '../src/markdown-engine/mathjax-config';
import { Notebook } from '../src/notebook/index';
+import { getDefaultMathjaxConfig } from '../src/notebook/types';
describe('Math rendering', () => {
let notebook: Notebook;
@@ -374,3 +376,57 @@ describe('Math rendering with custom delimiters', () => {
expect(html).not.toContain('class="katex"');
});
});
+
+describe('MathJax config defaults', () => {
+ it('disables a11y semantic enrichment for performance (#2312)', () => {
+ // Enrichment (speech-rule-engine) is ~95% of MathJax 4's per-formula
+ // typeset cost; disabling it restores MathJax-3-like preview performance.
+ const config = getDefaultMathjaxConfig();
+ const options = config.options as Record;
+ expect(options.enableEnrichment).toBe(false);
+ });
+
+ it('preserves tex and loader config sections', () => {
+ const config = getDefaultMathjaxConfig();
+ expect(config.tex).toEqual({});
+ expect(config.loader).toEqual({});
+ });
+
+ it('is a pure object (no shared mutable references)', () => {
+ const a = getDefaultMathjaxConfig();
+ const b = getDefaultMathjaxConfig();
+ expect(a).not.toBe(b);
+ expect(a).toEqual(b);
+ });
+});
+
+describe('buildMathJaxConfigScript (#2312 enrichment override)', () => {
+ it('serializes the config onto window.MathJax', () => {
+ const script = buildMathJaxConfigScript(getDefaultMathjaxConfig());
+ expect(script).toContain('window.MathJax = (');
+ expect(script).toContain('"enableEnrichment":false');
+ });
+
+ it('wraps startup.ready to re-apply a11y toggles onto the live document', () => {
+ const script = buildMathJaxConfigScript(getDefaultMathjaxConfig());
+ // The ready hook must run the default startup and then copy the
+ // configured a11y options onto the built MathDocument (where they
+ // actually take effect — MathJax ignores them in the config block).
+ expect(script).toContain('cfg.startup.ready = function');
+ expect(script).toContain('defaultReady()');
+ expect(script).toContain('doc.options[keys[i]] = wanted[keys[i]]');
+ expect(script).toContain('enableEnrichment');
+ });
+
+ it('preserves a user-provided ready hook', () => {
+ const script = buildMathJaxConfigScript({ options: {} });
+ expect(script).toContain("typeof userReady === 'function'");
+ expect(script).toContain('userReady()');
+ });
+
+ it('produces a syntactically valid script', () => {
+ const script = buildMathJaxConfigScript(getDefaultMathjaxConfig());
+ // Wrap so the bare `window.MathJax = (...)` assignment parses.
+ expect(() => new Function('window', script)).not.toThrow();
+ });
+});
diff --git a/test/sanitize.test.ts b/test/sanitize.test.ts
index b9ac960ff..8a3098da5 100644
--- a/test/sanitize.test.ts
+++ b/test/sanitize.test.ts
@@ -138,6 +138,45 @@ describe('sanitizeRenderedHTML (CVE-2025-65716)', () => {
expect(result).toContain('{"signal":[]}');
});
+ it('normalizes JSON5 WaveDrom data scripts to strict JSON', () => {
+ const result = sanitize(
+ ``,
+ );
+ expect(result).toContain('`,
+ );
+ expect(result).not.toContain(' {
+ const result = sanitize(
+ ``,
+ );
+ expect(result).not.toContain(' value so it cannot break out after re-serialization', () => {
+ // The raw input uses a JSON escape (<\/script>) so the HTML parser does
+ // NOT treat it as a closing tag; JSON5 decodes it to a literal
+ // "" string value, which JSON.stringify would otherwise emit
+ // raw and break out of the ',
+ );
+ expect(result).toContain('');
+ });
+
it('preserves TikZ scripts', () => {
const tikzCode =
'\\begin{tikzpicture}\\draw (0,0) -- (1,1);\\end{tikzpicture}';
diff --git a/test/wavedrom-parser.test.ts b/test/wavedrom-parser.test.ts
new file mode 100644
index 000000000..5e04ebdaf
--- /dev/null
+++ b/test/wavedrom-parser.test.ts
@@ -0,0 +1,150 @@
+import JSON5 from 'json5';
+
+describe('WaveDrom parser security (CVE-2026-wavedrom-eval)', () => {
+ describe('JSON5.parse correctly handles WaveDrom input', () => {
+ test('parses standard JSON (double-quoted keys)', () => {
+ const result = JSON5.parse(
+ '{"signal": [{"name": "clk", "wave": "p......"}]}',
+ );
+ expect(result).toEqual({
+ signal: [{ name: 'clk', wave: 'p......' }],
+ });
+ });
+
+ test('parses WaveDrom with unquoted keys', () => {
+ const result = JSON5.parse(`{ signal : [
+ { name: "clk", wave: "p......" },
+ { name: "bus", wave: "x.34.5x", data: "head body tail" },
+ { name: "wire", wave: "0.1..0." },
+]}`);
+ expect(result.signal).toHaveLength(3);
+ expect(result.signal[0].name).toBe('clk');
+ });
+
+ test('parses WaveDrom with single-quoted strings', () => {
+ const result = JSON5.parse(`{
+ signal: [
+ { name: 'clk', wave: 'p......' },
+ ]
+}`);
+ expect(result.signal[0].name).toBe('clk');
+ });
+
+ test('parses WaveDrom with // comments', () => {
+ const result = JSON5.parse(`{
+ signal: [
+ // clock signal
+ { name: "clk", wave: "p......" },
+ // data bus
+ { name: "bus", wave: "x.34.5x", data: "head body tail" },
+ ]
+}`);
+ expect(result.signal).toHaveLength(2);
+ expect(result.signal[0].name).toBe('clk');
+ });
+
+ test('parses WaveDrom with /* */ comments', () => {
+ const result = JSON5.parse(`{
+ signal: [
+ /* main clock */
+ { name: "clk", wave: "p......" },
+ ]
+}`);
+ expect(result.signal[0].name).toBe('clk');
+ });
+
+ test('parses WaveDrom with trailing commas', () => {
+ const result = JSON5.parse(`{
+ signal: [
+ { name: "clk", wave: "p......", },
+ ],
+}`);
+ expect(result.signal[0].name).toBe('clk');
+ });
+
+ test('parses WaveDrom with hex numbers', () => {
+ const result = JSON5.parse('{ addr: 0xDEAD }');
+ expect(result.addr).toBe(0xdead);
+ });
+
+ test('parses WaveDrom with Infinity and NaN', () => {
+ const result = JSON5.parse(
+ '{ max: Infinity, min: -Infinity, value: NaN }',
+ );
+ expect(result.max).toBe(Infinity);
+ expect(result.min).toBe(-Infinity);
+ expect(isNaN(result.value)).toBe(true);
+ });
+
+ test('parses multiline WaveDrom input', () => {
+ const result = JSON5.parse(`{
+ signal: [
+ { name: "clk", wave: "p.....|..." },
+ { name: "data", wave: "x.345x|=.x", data: ["head", "body", "tail", "data"] },
+ { name: "req", wave: "0.1..0|1.0" },
+ {},
+ { name: "ack", wave: "1.....|01." },
+ ],
+ head: { text: "WaveDrom example", tick: 0 },
+ foot: { text: "Figure 1", tock: 9 },
+}`);
+ expect(result.signal).toHaveLength(5);
+ expect(result.head.text).toBe('WaveDrom example');
+ });
+ });
+
+ describe('JSON5.parse blocks code execution', () => {
+ test('throws on function calls', () => {
+ expect(() => JSON5.parse('alert("xss")')).toThrow();
+ });
+
+ test('throws on function expressions', () => {
+ expect(() => JSON5.parse('(function() { alert("xss") })()')).toThrow();
+ });
+
+ test('throws on variable assignments', () => {
+ expect(() => JSON5.parse('a = 1')).toThrow();
+ });
+
+ test('throws on arbitrary JavaScript payloads', () => {
+ const exploitPayload = `
+ (() => {
+ const vscodeApi = { postMessage: () => {} };
+ vscodeApi.postMessage({ command: 'updateMarkdown', args: ['/etc/passwd', 'evil'] });
+ })()
+ `;
+ expect(() => JSON5.parse(exploitPayload)).toThrow();
+ });
+
+ test('throws on template literal injection', () => {
+ expect(() => JSON5.parse('`${alert("xss")}`')).toThrow();
+ });
+
+ test('throws on new operator', () => {
+ expect(() => JSON5.parse('new Function("alert(1)")')).toThrow();
+ });
+
+ test('throws on arrow-function IIFE', () => {
+ const payload = '(() => { return 1; })()';
+ expect(() => JSON5.parse(payload)).toThrow();
+ });
+
+ test('throws on empty string', () => {
+ expect(() => JSON5.parse('')).toThrow();
+ });
+ });
+
+ describe('safety: JSON5 does not execute code', () => {
+ test('does not execute side effects in object values', () => {
+ const sideEffect = false;
+ const input = '{"key": "value"}';
+ JSON5.parse(input);
+ expect(sideEffect).toBe(false);
+ });
+
+ test('rejects code disguised as a JSON value', () => {
+ const payload = '{"signal": (function(){ return []; })()}';
+ expect(() => JSON5.parse(payload)).toThrow();
+ });
+ });
+});
diff --git a/test/wavedrom-source.test.ts b/test/wavedrom-source.test.ts
new file mode 100644
index 000000000..6156eb9ca
--- /dev/null
+++ b/test/wavedrom-source.test.ts
@@ -0,0 +1,91 @@
+import { normalizeWavedromSource } from '../src/renderers/wavedrom-source';
+
+describe('normalizeWavedromSource (shd101wyy/vscode-markdown-preview-enhanced#2315)', () => {
+ describe('accepts and normalizes valid WaveDrom data', () => {
+ it('passes through strict JSON unchanged in meaning', () => {
+ expect(normalizeWavedromSource('{"signal":[]}')).toBe('{"signal":[]}');
+ });
+
+ it('normalizes unquoted keys to strict JSON', () => {
+ expect(normalizeWavedromSource('{ signal: [] }')).toBe('{"signal":[]}');
+ });
+
+ it('normalizes single-quoted strings, trailing commas, and comments', () => {
+ const out = normalizeWavedromSource(`{
+ // clock
+ signal: [
+ { name: 'clk', wave: 'p..', },
+ ],
+ }`);
+ expect(out).toBe('{"signal":[{"name":"clk","wave":"p.."}]}');
+ });
+
+ it('accepts the reg root used by bitfield-style diagrams', () => {
+ expect(normalizeWavedromSource('{ reg: [ { bits: 8 } ] }')).toBe(
+ '{"reg":[{"bits":8}]}',
+ );
+ });
+
+ it('preserves hex numbers as their decimal value', () => {
+ expect(normalizeWavedromSource('{ addr: 0xFF }')).toBe('{"addr":255}');
+ });
+ });
+
+ describe('rejects non-data / executable input', () => {
+ it('returns null for a function-call payload', () => {
+ expect(normalizeWavedromSource('alert(1)')).toBeNull();
+ });
+
+ it('returns null for an IIFE', () => {
+ expect(
+ normalizeWavedromSource('(()=>{return globalThis.process})()'),
+ ).toBeNull();
+ });
+
+ it('returns null for constructor-escape payloads', () => {
+ expect(
+ normalizeWavedromSource('this.constructor.constructor("return 1")()'),
+ ).toBeNull();
+ });
+
+ it('returns null for bare scalars (not a diagram object)', () => {
+ expect(normalizeWavedromSource('42')).toBeNull();
+ expect(normalizeWavedromSource('"clk"')).toBeNull();
+ expect(normalizeWavedromSource('null')).toBeNull();
+ });
+
+ it('returns null for a top-level array root', () => {
+ expect(normalizeWavedromSource('[{ name: "clk" }]')).toBeNull();
+ });
+
+ it('returns null rather than silently corrupting non-finite numbers', () => {
+ // JSON5 accepts Infinity/NaN but strict JSON cannot represent them;
+ // drop the diagram instead of emitting `null` for the value.
+ expect(normalizeWavedromSource('{ max: Infinity }')).toBeNull();
+ expect(normalizeWavedromSource('{ min: -Infinity }')).toBeNull();
+ expect(normalizeWavedromSource('{ x: NaN }')).toBeNull();
+ });
+
+ it('returns null for empty / whitespace input', () => {
+ expect(normalizeWavedromSource('')).toBeNull();
+ expect(normalizeWavedromSource(' ')).toBeNull();
+ });
+ });
+
+ describe('neutralizes breakout', () => {
+ it('escapes < so a string value cannot close the container', () => {
+ const out = normalizeWavedromSource(
+ '{ "name": "
" }',
+ );
+ expect(out).not.toBeNull();
+ expect(out).not.toContain('');
+ expect(out).toContain('\\u003c/script>');
+ });
+
+ it('produces output that is still valid JSON round-tripping the data', () => {
+ const out = normalizeWavedromSource('{ "n": "a