if (logger.isDebugEnabled()) {
            logger.debug("MarkdownRenderer initialized with commonmark and OWASP sanitizer");
        }
    }

    /**
     * Renders markdown text to sanitized HTML.
     *
     * @param markdown the markdown text to render
     * @return sanitized HTML string
     */
    public String render(final String markdown) {
        if (markdown == null || markdown.isEmpty()) {

    @Test
    public void test_render_xss_scriptTag() {
        String malicious = "<script>alert('XSS')</script>";
        String result = markdownRenderer.render(malicious);
        // Script tags should be removed by sanitizer
        assertFalse(result.contains("<script>"));
        assertFalse(result.contains("</script>"));
    }

    @Test
    public void test_render_xss_onclickAttribute() {

			<artifactId>commonmark-ext-gfm-tables</artifactId>
			<version>0.24.0</version>
		</dependency>
		<dependency>
			<groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
			<artifactId>owasp-java-html-sanitizer</artifactId>
			<version>20260101.1</version>
		</dependency>

		<!-- test -->
		<dependency>
			<groupId>org.junit.jupiter</groupId>

     */
    function scrollToBottom() {
        elements.chatMessages.scrollTop(elements.chatMessages[0].scrollHeight);
    }

    /**
     * Render Markdown text to sanitized HTML.
     * Policy is aligned with server-side MarkdownRenderer (OWASP sanitizer).
     */
    var markdownDomPurifyInitialized = false;
    var markdownSanitizeConfig = {
        ALLOWED_TAGS: ['h1','h2','h3','h4','h5','h6',

   *
   * Fundamentally, there's not really anything we can do about that. In the unlikely event that it
   * comes up in practice (maybe through some kind of sanitizer-like testing that intentionally
   * inflicts spurious interrupts on us?), we might have to accept some flakiness or disable some
   * tests, at least under whichever environment (JRE or Android) we see such problems.
   */

   *
   * Fundamentally, there's not really anything we can do about that. In the unlikely event that it
   * comes up in practice (maybe through some kind of sanitizer-like testing that intentionally
   * inflicts spurious interrupts on us?), we might have to accept some flakiness or disable some
   * tests, at least under whichever environment (JRE or Android) we see such problems.
   */

regExp.length; i < len; i++) {\n    if (regExp[i].test(attrName)) {\n      return true\n    }\n  }\n\n  return false\n}\n\nexport function sanitizeHtml(unsafeHtml, whiteList, sanitizeFn) {\n  if (unsafeHtml.length === 0) {\n    return unsafeHtml\n  }\n\n  if (sanitizeFn && typeof sanitizeFn === 'function') {\n    return sanitizeFn(unsafeHtml)\n  }\n\n  const domParser = new window.DOMParser()\n  const createdDocument = domParser.parseFromString(unsafeHtml, 'text/html')\n  const whitelistKeys = Object.keys(whiteList)\n...

e.js'\nimport Config from './config.js'\nimport { DefaultAllowlist, sanitizeHtml } from './sanitizer.js'\nimport { execute, getElement, isElement } from './index.js'\n\n/**\n * Constants\n */\n\nconst NAME = 'TemplateFactory'\n\nconst Default = {\n  allowList: DefaultAllowlist,\n  content: {}, // { selector : text ,  selector2 : text2 , }\n  extraClass: '',\n  html: false,\n  sanitize: true,\n  sanitizeFn: null,\n  template: '<div></div>'\n}\n\nconst DefaultType = {\n  allowList: 'object',\n  content:...

        return redirect(getClass()); // no-op
    }

    /**
     * Sanitizes a filename by removing path traversal sequences and whitespace.
     *
     * @param filename the filename to sanitize
     * @return the sanitized filename
     */
    public static String sanitizeFilename(final String filename) {

        }
        // Remove control characters and limit length
        String sanitized = input.replaceAll("[\\x00-\\x1f]", "");
        if (sanitized.length() > 1000) {
            sanitized = sanitized.substring(0, 997) + "...";
        }
        return sanitized;
    }

    /**
     * Validates that a value is within the specified range
     *
     * @param value the value to check
     * @param min minimum value (inclusive)