From b202d6542cd2ff176e311bd83e84c57a0d4f0f9d Mon Sep 17 00:00:00 2001
From: Kjell Tore Guttormsen <hello@fromaitochitta.com>
Date: Sun, 10 May 2026 21:42:52 +0200
Subject: [PATCH] test(voyage): add Group D XSS injection runtime guard
 (1d3591d4)

---
 .../tests/e2e/voyage-playground-a11y.spec.mjs | 23 +++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/plugins/voyage/tests/e2e/voyage-playground-a11y.spec.mjs b/plugins/voyage/tests/e2e/voyage-playground-a11y.spec.mjs
index 8e5cec1..8f5fade 100644
--- a/plugins/voyage/tests/e2e/voyage-playground-a11y.spec.mjs
+++ b/plugins/voyage/tests/e2e/voyage-playground-a11y.spec.mjs
@@ -206,4 +206,27 @@ test.describe('voyage-playground a11y (axe-core)', () => {
       fullPage: false,
     });
   });
+
+  // v4.3 Step 2 — Group D Playwright XSS injection runtime guard
+  // (finding 1d3591d4). Behavioral counterpart to the DOMPurify fix in
+  // renderArtifact (Step 1). Injects a <script>alert(1)</script> markdown
+  // payload via scheduleRender and verifies neither a JS dialog fires nor
+  // a <script> tag survives in #voyage-viewport. Defense in depth alongside
+  // the Group A static-grep guard.
+  test('SC24-security — script injection in artifact body does not execute (1d3591d4)', async ({ page }) => {
+    let dialogCount = 0;
+    page.on('dialog', (d) => {
+      dialogCount++;
+      d.dismiss();
+    });
+    await page.goto('voyage-playground.html');
+    await page.waitForLoadState('domcontentloaded');
+    await page.evaluate(() => {
+      window.__voyage.scheduleRender({
+        markdown: '<script>alert(1)</script>\n# title',
+      });
+    });
+    expect(dialogCount, `expected zero dialogs but got ${dialogCount}`).toBe(0);
+    expect(await page.locator('#voyage-viewport script').count()).toBe(0);
+  });
 });