.gitea/workflows/ci.yml

@@ -65,6 +65,24 @@ jobs:
             exit 1
           fi
 
+      - name: Assert no raw document date rendered via {@html} (CWE-79 — #666)
+        shell: bash
+        run: |
+          # meta_date_raw is untrusted verbatim spreadsheet text — it must render via
+          # Svelte default escaping, never {@html}. This guard flags any {@html ...}
+          # whose expression references a raw-date variable. A comment mentioning
+          # "{@html}" without a raw token inside the braces does NOT match.
+          pattern='\{@html[^}]*(metaDateRaw|documentDateRaw|rawDate)'
+          # Self-test: the regex must catch the dangerous form and ignore the comment form.
+          printf '{@html doc.metaDateRaw}\n' | grep -qP "$pattern" \
+            || { echo "FAIL: guard self-test — regex missed the unsafe {@html metaDateRaw} form"; exit 1; }
+          printf 'never use {@html} for this\n' | grep -qvP "$pattern" \
+            || { echo "FAIL: guard self-test — regex wrongly flagged a {@html} comment"; exit 1; }
+          if grep -rPln "$pattern" --include='*.svelte' frontend/src/; then
+            echo "FAIL: meta_date_raw rendered via {@html} — use default {…} escaping (CWE-79, #666)."
+            exit 1
+          fi
+
       - name: Assert no (upload|download)-artifact past v3
         shell: bash
         run: |