fix: "javascript:" issue with buttondown + integrates claude

lmammino · lmammino · commit 5c241684ba47 · 2025-12-13T17:31:55.000+01:00
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -0,0 +1,77 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Project Overview
+
+This is a newsletter automation system for [FullStack Bulletin](https://fullstackbulletin.com/). It uses AWS SAM to deploy a Step Functions state machine that orchestrates Lambda functions to generate weekly newsletter issues.
+
+## Build and Deploy Commands
+
+```bash
+# Validate, build, and deploy to AWS
+sam validate --lint && sam build --beta-features && sam deploy
+
+# Run all tests (linting + unit tests for Node.js)
+npm test
+
+# Run only unit tests
+npm run test:unit
+
+# Run only linting
+npm run test:lint
+
+# Run Rust tests
+cargo test --all-features
+
+# Run Rust clippy
+cargo clippy --all-features
+
+# Format Rust code
+cargo fmt
+```
+
+## Architecture
+
+### AWS Step Functions Workflow (`statemachine/create_issue.asl.yaml`)
+
+The state machine runs every Friday at 5PM UTC and executes:
+1. **Fetch Issue Number** - Scrapes Buttondown archive to get next issue number
+2. **Parallel data fetching:**
+   - Fetch Quote - Gets a random programming quote
+   - Fetch Book - Gets a recommended book
+   - Fetch Sponsor - Retrieves sponsor from Airtable
+   - Fetch Links - Processes Mastodon posts for newsletter links
+3. **Create Issue** - Generates and sends draft via Buttondown API
+
+### Rust Lambda Functions (`functions/`)
+
+All Rust functions use `cargo-lambda` for building and target ARM64 (`provided.al2023` runtime):
+
+- **fetch-issue-number** - HTML scraper using `scraper` crate
+- **fetch-quote** - Random quote generator
+- **fetch-book** - Book recommendation fetcher
+- **fetch-sponsor** - Airtable API client for sponsor data
+- **create-issue** - Buttondown API integration with Tera templates
+
+### Node.js Lambda Function
+
+- **fetch-links** - Complex link processing pipeline that:
+  - Fetches Mastodon statuses
+  - Extracts, normalizes, and scores URLs
+  - Retrieves metadata and canonical URLs
+  - Uploads images to Cloudinary
+  - Applies blacklist filtering
+
+### Shared Library (`shared/`)
+
+Contains common types used across Rust functions:
+- `Event` - Input event structure with `NextIssue`
+- `Issue` - Contains the issue number
+
+## Key Patterns
+
+- Rust functions read config from environment variables at startup
+- Functions use `reqwest` with `rustls-tls` for HTTP (Lambda compatible)
+- Step Functions handles retries with exponential backoff
+- Node.js function uses ES modules (`"type": "module"`)
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/functions/create-issue/Cargo.toml b/functions/create-issue/Cargo.toml
@@ -22,6 +22,7 @@ reqwest = { version = "0.12", features = [
 
 # Template engine
 tera = "1"
+regex = "1"
 
 # Environment variables and error handling
 anyhow = "1"
diff --git a/functions/create-issue/src/template.rs b/functions/create-issue/src/template.rs
@@ -1,8 +1,28 @@
+use crate::model::{Book, Link, Quote, Sponsor};
 use anyhow::Result;
+use regex::Regex;
 use serde::Serialize;
-use tera::{Context, Tera};
-
-use crate::model::{Book, Link, Quote, Sponsor};
+use std::collections::HashMap;
+use std::sync::LazyLock;
+use tera::{Context, Tera, Value};
+
+static JAVASCRIPT_PROTOCOL_RE: LazyLock<Regex> =
+    LazyLock::new(|| Regex::new(r"(?i)javascript:").unwrap());
+
+/// Tera filter that sanitizes text by replacing "javascript:" (case insensitive) with "JavaScript - ".
+///
+/// This filter is needed because Buttondown's API rejects content containing "javascript:"
+/// even in Markdown body text, returning the error:
+/// `{"body": ["JavaScript in attributes is not allowed. (You added one with the `javascript:` attribute.)"]}`
+fn sanitize_js_filter(value: &Value, _args: &HashMap<String, Value>) -> tera::Result<Value> {
+    match value.as_str() {
+        Some(s) => {
+            let result = JAVASCRIPT_PROTOCOL_RE.replace_all(s, "JavaScript - ");
+            Ok(Value::String(result.into_owned()))
+        }
+        None => Ok(value.clone()),
+    }
+}
 
 /// Enhanced link with action text for template rendering
 #[derive(Serialize, Debug)]
@@ -201,9 +221,13 @@ impl TemplateRenderer {
         context.insert("closing_title", &closing_title);
         context.insert("closing_message", &closing_message);
 
-        // Use Tera's one-off rendering function with embedded template
-        // autoescape=false since we're rendering Markdown, not HTML
-        let rendered = Tera::one_off(NEWSLETTER_TEMPLATE, &context, false)?;
+        // Create Tera instance with custom filter for sanitizing javascript: protocol
+        let mut tera = Tera::default();
+        tera.add_raw_template("newsletter", NEWSLETTER_TEMPLATE)?;
+        tera.register_filter("sanitize_js", sanitize_js_filter);
+        tera.autoescape_on(vec![]); // Disable autoescape since we're rendering Markdown
+
+        let rendered = tera.render("newsletter", &context)?;
         Ok(rendered)
     }
 }
@@ -296,6 +320,70 @@ mod tests {
         )
     }
 
+    #[test]
+    fn test_sanitize_js_filter_lowercase() {
+        let args = HashMap::new();
+        // Note: "javascript:" is replaced with "JavaScript - ", so original space after colon remains
+        let input = Value::String("Check out javascript: protocol".to_string());
+        let result = sanitize_js_filter(&input, &args).unwrap();
+        assert_eq!(result.as_str().unwrap(), "Check out JavaScript -  protocol");
+    }
+
+    #[test]
+    fn test_sanitize_js_filter_uppercase() {
+        let args = HashMap::new();
+        let input = Value::String("Check out JAVASCRIPT: protocol".to_string());
+        let result = sanitize_js_filter(&input, &args).unwrap();
+        assert_eq!(result.as_str().unwrap(), "Check out JavaScript -  protocol");
+    }
+
+    #[test]
+    fn test_sanitize_js_filter_mixed_case() {
+        let args = HashMap::new();
+        let input = Value::String("Check out JaVaScRiPt: protocol".to_string());
+        let result = sanitize_js_filter(&input, &args).unwrap();
+        assert_eq!(result.as_str().unwrap(), "Check out JavaScript -  protocol");
+    }
+
+    #[test]
+    fn test_sanitize_js_filter_multiple_occurrences() {
+        let args = HashMap::new();
+        let input = Value::String("javascript: and JavaScript: both".to_string());
+        let result = sanitize_js_filter(&input, &args).unwrap();
+        assert_eq!(
+            result.as_str().unwrap(),
+            "JavaScript -  and JavaScript -  both"
+        );
+    }
+
+    #[test]
+    fn test_sanitize_js_filter_no_trailing_space() {
+        let args = HashMap::new();
+        // When there's no space after the colon in the original, the replacement is clean
+        let input = Value::String("javascript:void(0)".to_string());
+        let result = sanitize_js_filter(&input, &args).unwrap();
+        assert_eq!(result.as_str().unwrap(), "JavaScript - void(0)");
+    }
+
+    #[test]
+    fn test_sanitize_js_filter_no_match() {
+        let args = HashMap::new();
+        let input = Value::String("Just regular text without the pattern".to_string());
+        let result = sanitize_js_filter(&input, &args).unwrap();
+        assert_eq!(
+            result.as_str().unwrap(),
+            "Just regular text without the pattern"
+        );
+    }
+
+    #[test]
+    fn test_sanitize_js_filter_non_string() {
+        let args = HashMap::new();
+        let input = Value::Number(42.into());
+        let result = sanitize_js_filter(&input, &args).unwrap();
+        assert_eq!(result, Value::Number(42.into()));
+    }
+
     #[test]
     fn test_get_link_action_text() {
         // Test GitHub URLs
diff --git a/functions/create-issue/templates/newsletter.md b/functions/create-issue/templates/newsletter.md
@@ -17,24 +17,24 @@ TODO: WRITE INTRO
 {%- endif %}
 
 
-<a href="{{ primary_link.campaignUrls.image }}" target="_blank" rel="noopener noreferrer"><img src="{{ primary_link.image }}" draggable="false" alt="A screenshot from the article {{ primary_link.title }}"></a>
+<a href="{{ primary_link.campaignUrls.image }}" target="_blank" rel="noopener noreferrer"><img src="{{ primary_link.image }}" draggable="false" alt="A screenshot from the article {{ primary_link.title | sanitize_js }}"></a>
 
-[**{{ primary_link.title }}**]({{ primary_link.campaignUrls.title }}) — {{ primary_link.description }} [**{{ primary_link.action_text }}**]({{ primary_link.campaignUrls.description }})
+[**{{ primary_link.title | sanitize_js }}**]({{ primary_link.campaignUrls.title }}) — {{ primary_link.description | sanitize_js }} [**{{ primary_link.action_text }}**]({{ primary_link.campaignUrls.description }})
 
 {% for link in secondary_links -%}
-[**{{ link.title }}**]({{ link.campaignUrls.title }}) — {{ link.description }} [**{{ link.action_text }}**]({{ link.campaignUrls.description }})
+[**{{ link.title | sanitize_js }}**]({{ link.campaignUrls.title }}) — {{ link.description | sanitize_js }} [**{{ link.action_text }}**]({{ link.campaignUrls.description }})
 
 {% endfor -%}
 
 ---
 
 # 📕 Book of the week!
 
-[**{{ book.title }}**, by {{ book.author }}]({{ book.links.us }})
+[**{{ book.title | sanitize_js }}**, by {{ book.author }}]({{ book.links.us }})
 
-[![{{ book.title }}]({{ book.coverPicture }})]({{ book.links.us }})
+[![{{ book.title | sanitize_js }}]({{ book.coverPicture }})]({{ book.links.us }})
 
-{{ book.description }}
+{{ book.description | sanitize_js }}
 
 [**Buy on Amazon.com**]({{ book.links.us }}) - [**Buy on Amazon.co.uk**]({{ book.links.uk }})
 
@@ -44,7 +44,7 @@ TODO: WRITE INTRO
 ### {{ extra_content_title }}
 
 {% for link in extra_links -%}
-- [{{ link.title }}]({{ link.campaignUrls.title }})
+- [{{ link.title | sanitize_js }}]({{ link.campaignUrls.title }})
 {% endfor -%}
 
 ---
