xss-sanitize 0.3.7 causes downstream tests to fail

[DanBurton]

Here are snippets of what I observed on the stackage build server. I can try to provide better repro instructions upon request.

yesod-markdown-0.12.6.11

    Yesod.Markdown
      converts Markdown to sanitized HTML FAILED [1]
      converts Markdown to unsanitized HTML

    Failures:

      test/Spec.hs:33:9:
      1) Yesod.Markdown converts Markdown to sanitized HTML
           expected: "<h1 id=\"title\">Title</h1><ul><li>one</li><li>two</li><
li>three</li></ul>\n  alert('xxs');\n"
            but got: "<h1 id=\"title\">Title</h1><ul><li>one</li><li>two</li><
li>three</li></ul>"


markdown-0.1.17.4

      test/main.hs:230:26:
      1) html block xss
           expected: "alert(&quot;evil&quot;)"
            but got: ""

[snoyberg]

CC @pbrisbin. Apologies for the change here, see #22

[pbrisbin]

I'm happy to adjust this test to expect the tag and contents are stripped, which I think is what's needed, but I indeed can't repro:

Selected resolver: nightly-2021-09-18
yesod-markdown> test (suite: test)


Yesod.Markdown
  converts Markdown to sanitized HTML
  converts Markdown to unsanitized HTML

Finished in 0.0080 seconds
2 examples, 0 failures

yesod-markdown> Test suite test passed

2021-09-18 seems to be what I get with --resolver nightly; is this behavior in something even newer?

[pbrisbin]

I updated yesod-markdown-0.12.6.12 to assert in a less brittle way that should pass on either behavior.

[andreasabel]

Change title? There is no xss-sanitize-0.6.7, at least not on Hackage.