Skip to content

fix: flag raw HTML in policy bodies (#117)#122

Merged
sc2ben merged 1 commit into
mainfrom
117-raw-html-divergence
Jul 8, 2026
Merged

fix: flag raw HTML in policy bodies (#117)#122
sc2ben merged 1 commit into
mainfrom
117-raw-html-divergence

Conversation

@tsunaminoai

Copy link
Copy Markdown
Contributor

Summary

Closes the last open item of #117 — the site/PDF raw-HTML divergence.

Raw or inline HTML in a policy body renders on the Zola site (page.content | safe) but zigmark's Typst renderer silently drops it (renderers/typst.zig omits html_block/html_in_line, confirmed at :238/:358). So a policy's website page and its audit PDF could diverge with no warning — an integrity problem for an ISMS tool.

Rather than render HTML into PDFs (new attack surface) or strip it from the site, this makes the divergence loud: the build pre-flight added in #121 now also checks the body.

What changed

  • src/config.zig — new findRawHtml parses each policy body with zigmark's own parser and walks the AST (firstRawHtmlInBlocks/firstRawHtmlInInlines) for html_block/html_in_line. reviewPolicyFile now calls reviewPolicyBody and classifies raw HTML as critical (warn by default, fatal with --strict). AST-based, so:
    • <div> inside a code fence or `<span>` inline code does not trip;
    • <user@host> / <https://…> autolinks do not trip (they parse as autolinks, which the PDF renders);
    • nested containers (lists, blockquotes, tables) are walked.
  • src/main.zig — wording only (validation is no longer front-matter-only); --strict help updated.
  • Tests — 6 new unit/e2e tests in src/test.zig; a build-level section in tests/redaction-leak-check.sh asserting warn-by-default, --strict failure, and no false positives on the demo content.
  • Docs — README PDF section, writing-policies guide, starter README, CHANGELOG.

Verification

  • zig build test47/47 (was 41).
  • tests/redaction-leak-check.sh — passes, including the three new raw-HTML checks.
  • zig build e2e — starter content clean under the new rule (3 policies).
  • ./zig-out/bin/policypress -c config.toml -o <tmp> --strict — exit 0, no raw-HTML warnings on demo content.
  • nix fmt — 0 files changed.

Related

Closes #117.

Raw/inline HTML renders on the Zola site but zigmark's Typst renderer
silently drops it, so a policy's website page and its audit PDF could
diverge with no warning. Make the divergence loud: the build pre-flight now
parses each policy body and reports raw HTML as audit-critical (warn by
default, fatal with --strict).

Detection is AST-based via zigmark's own parser (the same one the PDF path
uses), so raw HTML inside a code fence/span and <user@host> autolinks never
false-positive; nested containers (lists, blockquotes, tables) are walked.

Adds unit and integration coverage (findRawHtml, reviewPolicyFile,
redaction-leak-check.sh), author-facing docs, and a CHANGELOG entry. This is
the last open item of #117.
@tsunaminoai tsunaminoai requested a review from sc2ben July 8, 2026 15:16
@tsunaminoai tsunaminoai added bug Something isn't working security Related to the security of the project labels Jul 8, 2026
@tsunaminoai tsunaminoai added this to the Public Launch milestone Jul 8, 2026
@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Preview deployment

Preview environment deleted on PR close.

@sc2ben sc2ben merged commit ac4eb6f into main Jul 8, 2026
10 checks passed
@sc2ben sc2ben deleted the 117-raw-html-divergence branch July 8, 2026 15:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working security Related to the security of the project

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Security & architecture: v2 launch hardening

2 participants