Problem
After upgrading dompurify from 3.4.5 → 3.4.8 (pulled via npm install after merging devkit PRs #4239/#4237/#4235 into trawl_vue), the useLegalPage composable test suite breaks with 2 failures:
```
FAIL useLegalPage > returns title and rendered HTML for valid slug
AssertionError: expected 'Terms\n
Welcome to Acme Inc (SAS).
\n' to contain '
Terms
'
FAIL useLegalPage > strips XSS payloads from rendered markdown
AssertionError: expected html not to contain 'onerror'
```
Root cause: DOMPurify 3.4.8 changed behavior when `isSupported: false` (no real DOM — happens in happy-dom vitest environment). `sanitize()` now returns the input string as-is rather than processing it through the DOM. So `DOMPurify.sanitize(marked.parse(md))` returns the raw pre-marked markdown instead of sanitized HTML.
Confirmed: `DOMPurify.isSupported` is `false` in the happy-dom vitest environment; `sanitize` is not a function in pure Node.js.
Affected file(s)
- `src/modules/legal/composables/useLegalPage.js` — needs to guard on `DOMPurify.isSupported` or use an alternative sanitizer in non-DOM environments
- `src/modules/legal/tests/useLegalPage.unit.tests.js` — tests assume sanitized HTML is returned
Steps to reproduce
# In trawl_vue after merging devkit master (dompurify@3.4.8)
NODE_ENV=trawl npm run generateConfig
NODE_ENV=trawl npm run test:unit -- src/modules/legal/tests/useLegalPage.unit.tests.js
Both `returns title and rendered HTML for valid slug` and `strips XSS payloads from rendered markdown` fail.
Suggested fix
In `useLegalPage.js`, guard the sanitization call:
```js
const html = DOMPurify.isSupported
? DOMPurify.sanitize(marked.parse(substituted))
: marked.parse(substituted); // test/SSR env — no real DOM, skip sanitize
```
Or run the test with `jsdom` environment instead of `happy-dom` for this specific test file (add `@vitest-environment jsdom` docblock).
Problem
After upgrading dompurify from 3.4.5 → 3.4.8 (pulled via npm install after merging devkit PRs #4239/#4237/#4235 into trawl_vue), the useLegalPage composable test suite breaks with 2 failures:
```
FAIL useLegalPage > returns title and rendered HTML for valid slug
AssertionError: expected 'Terms\n
Welcome to Acme Inc (SAS).
\n' to contain 'Terms
'FAIL useLegalPage > strips XSS payloads from rendered markdown
AssertionError: expected html not to contain 'onerror'
```
Root cause: DOMPurify 3.4.8 changed behavior when `isSupported: false` (no real DOM — happens in happy-dom vitest environment). `sanitize()` now returns the input string as-is rather than processing it through the DOM. So `DOMPurify.sanitize(marked.parse(md))` returns the raw pre-marked markdown instead of sanitized HTML.
Confirmed: `DOMPurify.isSupported` is `false` in the happy-dom vitest environment; `sanitize` is not a function in pure Node.js.
Affected file(s)
Steps to reproduce
# In trawl_vue after merging devkit master (dompurify@3.4.8) NODE_ENV=trawl npm run generateConfig NODE_ENV=trawl npm run test:unit -- src/modules/legal/tests/useLegalPage.unit.tests.jsBoth `returns title and rendered HTML for valid slug` and `strips XSS payloads from rendered markdown` fail.
Suggested fix
In `useLegalPage.js`, guard the sanitization call:
```js
const html = DOMPurify.isSupported
? DOMPurify.sanitize(marked.parse(substituted))
: marked.parse(substituted); // test/SSR env — no real DOM, skip sanitize
```
Or run the test with `jsdom` environment instead of `happy-dom` for this specific test file (add `@vitest-environment jsdom` docblock).