String malicious = "<a href=\"#\" onclick=\"alert('XSS')\">Click</a>";
        String result = markdownRenderer.render(malicious);
        // onclick attribute should be removed
        assertFalse(result.contains("onclick"));
    }

    @Test
    public void test_render_xss_javascriptProtocol() {
        String malicious = "[Click me](javascript:alert('XSS'))";
        String result = markdownRenderer.render(malicious);

import org.owasp.html.HtmlPolicyBuilder;
import org.owasp.html.PolicyFactory;

/**
 * Renders markdown to sanitized HTML for safe display in the chat interface.
 * Uses commonmark for markdown parsing and OWASP HTML Sanitizer for XSS prevention.
 */
public class MarkdownRenderer {

    private static final Logger logger = LogManager.getLogger(MarkdownRenderer.class);

    private Parser markdownParser;
    private HtmlRenderer htmlRenderer;

    ImmutableSet<String> uppercaseAcronyms =
        ImmutableSet.of(
            "CDN", "CH", "ID", "DNT", "DNS", "DPR", "ECT", "GPC", "HTTP2", "IP", "MD5", "P3P",
            "RTT", "TE", "UA", "UID", "URL", "WWW", "XSS");

    for (Field field : httpHeadersFields()) {
      assertThat(field.get(null))
          .isEqualTo(upperToHttpHeaderName(field.getName(), specialCases, uppercaseAcronyms));
    }
  }

            }
            $item.css("background-color", bgColor);
          }
        }
      },

      /**
       * Helper function to safely escape HTML to prevent XSS
       */
      escapeHtml = function (text) {
        return $("<div>").text(text).html();
      },

      suggestor = {
        /**
         * Initialize the suggestor plugin
         */

    }

    @Test
    public void test_escapeHtml_scriptTag() {
        assertEquals("&lt;script&gt;alert(&#39;xss&#39;)&lt;/script&gt;", chatClient.testEscapeHtml("<script>alert('xss')</script>"));
    }

    // ========== buildGoUrl tests ==========

    @Test
    public void test_buildGoUrl_basic() {

        source.put("title", "Title with <script>alert('xss')</script>");
        source.put("content", "Content with & < > \" '");
        source.put("lang", "en");

        final String html = new HtmlIndexExportFormatter().format(source, Collections.emptySet());

        assertTrue(html.contains("<title>Title with &lt;script&gt;alert(&#39;xss&#39;)&lt;/script&gt;</title>"));

   * locally.
   *
   * @since 24.1
   */
  public static final String X_DOWNLOAD_OPTIONS = "X-Download-Options";

  /** The HTTP {@code X-XSS-Protection} header field name. */
  public static final String X_XSS_PROTECTION = "X-XSS-Protection";

  /**
   * The HTTP <a
   * href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control">{@code

# Inline MIME types for the response.
response.inline.mimetypes=application/pdf,text/plain
# HTTP headers for the response.
response.headers=\
text/html=X-XSS-Protection: 1; mode=block\n\
text/html=Content-Security-Policy: reflected-xss block\n\
text/html=X-Frame-Options: SAMEORIGIN\n\


# document index

# Index name for search documents.
index.document.search.index=fess.search

* Update kubectl help for 1.2 resources ([#23305](https://github.com/kubernetes/kubernetes/pull/23305), [@janetkuo](https://github.com/janetkuo))
* Removing URL query param from swagger UI to fix the XSS issue ([#23234](https://github.com/kubernetes/kubernetes/pull/23234), [@nikhiljindal](https://github.com/nikhiljindal))

    String RESPONSE_INLINE_MIMETYPES = "response.inline.mimetypes";

    /** The key of the configuration. e.g. text/html=X-XSS-Protection: 1; mode=block<br>
     * text/html=Content-Security-Policy: reflected-xss block<br>
     * text/html=X-Frame-Options: SAMEORIGIN<br>
     *  */
    String RESPONSE_HEADERS = "response.headers";