From 4bc96c37720fbb68de2daef9f5b255581eae3ea3 Mon Sep 17 00:00:00 2001
From: Marcel <marcel@familienarchiv>
Date: Wed, 27 May 2026 12:37:42 +0200
Subject: [PATCH] ci(dates): widen {@html} raw-date guard to cover the `raw`
 prop
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

DocumentDate.svelte passes the untrusted raw value via a prop named `raw`,
but the guard only matched metaDateRaw/documentDateRaw/rawDate — so a future
{@html raw} would slip past. Add `\braw\b` to the token list and a self-test
asserting the guard catches {@html raw}. Code is currently safe ({raw}); this
closes the defense-in-depth gap in the guard itself.

Refs #666
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .gitea/workflows/ci.yml | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index 2e2606d4..f9553ab2 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -72,10 +72,15 @@ jobs:
           # Svelte default escaping, never {@html}. This guard flags any {@html ...}
           # whose expression references a raw-date variable. A comment mentioning
           # "{@html}" without a raw token inside the braces does NOT match.
-          pattern='\{@html[^}]*(metaDateRaw|documentDateRaw|rawDate)'
-          # Self-test: the regex must catch the dangerous form and ignore the comment form.
+          # The token list MUST cover every variable that carries the raw value:
+          # DocumentDate.svelte exposes it via the `raw` prop, so `\braw\b` is included.
+          # Grow this list whenever a new raw-bearing variable name is introduced.
+          pattern='\{@html[^}]*(metaDateRaw|documentDateRaw|rawDate|\braw\b)'
+          # Self-test: the regex must catch the dangerous forms and ignore the comment form.
           printf '{@html doc.metaDateRaw}\n' | grep -qP "$pattern" \
             || { echo "FAIL: guard self-test — regex missed the unsafe {@html metaDateRaw} form"; exit 1; }
+          printf '{@html raw}\n' | grep -qP "$pattern" \
+            || { echo "FAIL: guard self-test — regex missed the unsafe {@html raw} form (DocumentDate prop)"; exit 1; }
           printf 'never use {@html} for this\n' | grep -qvP "$pattern" \
             || { echo "FAIL: guard self-test — regex wrongly flagged a {@html} comment"; exit 1; }
           if grep -rPln "$pattern" --include='*.svelte' frontend/src/; then