From c20035094ddf95d3186429e88c1b753b99edc36b Mon Sep 17 00:00:00 2001 From: Conroy Whitney Date: Thu, 29 Jan 2026 00:46:50 -0500 Subject: [PATCH] fix: use & instead of <> in XML escaping test for Windows NTFS compatibility (#3750) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit NTFS does not allow < or > in filenames, causing the XML filename escaping test to fail on Windows CI with ENOENT. Replace file.txt with file&test.txt — & is valid on all platforms and still requires XML escaping (&), preserving the test's intent. Fixes #3748 --- src/media-understanding/apply.test.ts | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/src/media-understanding/apply.test.ts b/src/media-understanding/apply.test.ts index e06adbc24..7a4d68136 100644 --- a/src/media-understanding/apply.test.ts +++ b/src/media-understanding/apply.test.ts @@ -550,10 +550,11 @@ describe("applyMediaUnderstanding", () => { it("escapes XML special characters in filenames to prevent injection", async () => { const { applyMediaUnderstanding } = await loadApply(); const dir = await fs.mkdtemp(path.join(os.tmpdir(), "moltbot-media-")); - // Create file with XML special characters in the name (what filesystem allows) + // Use & in filename — valid on all platforms (including Windows, which + // forbids < and > in NTFS filenames) and still requires XML escaping. // Note: The sanitizeFilename in store.ts would strip most dangerous chars, // but we test that even if some slip through, they get escaped in output - const filePath = path.join(dir, "file.txt"); + const filePath = path.join(dir, "file&test.txt"); await fs.writeFile(filePath, "safe content"); const ctx: MsgContext = { @@ -575,10 +576,9 @@ describe("applyMediaUnderstanding", () => { expect(result.appliedFile).toBe(true); // Verify XML special chars are escaped in the output - expect(ctx.Body).toContain("<"); - expect(ctx.Body).toContain(">"); - // The raw < and > should not appear unescaped in the name attribute - expect(ctx.Body).not.toMatch(/name="[^"]*<[^"]*"/); + expect(ctx.Body).toContain("&"); + // The name attribute should contain the escaped form, not a raw unescaped & + expect(ctx.Body).toMatch(/name="file&test\.txt"/); }); it("normalizes MIME types to prevent attribute injection", async () => {