Diff of the two buildlogs: -- --- b1/build.log 2025-11-10 22:21:44.024830901 +0000 +++ b2/build.log 2025-11-10 22:25:21.609076304 +0000 @@ -1,6 +1,6 @@ I: pbuilder: network access will be disabled during build -I: Current time: Sun Dec 13 16:41:16 -12 2026 -I: pbuilder-time-stamp: 1797223276 +I: Current time: Tue Nov 11 12:21:45 +14 2025 +I: pbuilder-time-stamp: 1762813305 I: Building the build Environment I: extracting base tarball [/var/cache/pbuilder/forky-reproducible-base.tgz] I: copying local configuration @@ -26,53 +26,85 @@ dpkg-source: info: applying drop-one-test.patch I: Not using root during the build. I: Installing the build-deps -I: user script /srv/workspace/pbuilder/2961436/tmp/hooks/D02_print_environment starting +I: user script /srv/workspace/pbuilder/2084161/tmp/hooks/D01_modify_environment starting +debug: Running on ionos1-amd64. +I: Changing host+domainname to test build reproducibility +I: Adding a custom variable just for the fun of it... +I: Changing /bin/sh to bash +'/bin/sh' -> '/bin/bash' +lrwxrwxrwx 1 root root 9 Nov 10 22:22 /bin/sh -> /bin/bash +I: Setting pbuilder2's login shell to /bin/bash +I: Setting pbuilder2's GECOS to second user,second room,second work-phone,second home-phone,second other +I: user script /srv/workspace/pbuilder/2084161/tmp/hooks/D01_modify_environment finished +I: user script /srv/workspace/pbuilder/2084161/tmp/hooks/D02_print_environment starting I: set - BUILDDIR='/build/reproducible-path' - BUILDUSERGECOS='first user,first room,first work-phone,first home-phone,first other' - BUILDUSERNAME='pbuilder1' - BUILD_ARCH='amd64' - DEBIAN_FRONTEND='noninteractive' - DEB_BUILD_OPTIONS='buildinfo=+all reproducible=+all parallel=42 ' - DISTRIBUTION='forky' - HOME='/root' - HOST_ARCH='amd64' + BASH=/bin/sh + BASHOPTS=checkwinsize:cmdhist:complete_fullquote:extquote:force_fignore:globasciiranges:globskipdots:hostcomplete:interactive_comments:patsub_replacement:progcomp:promptvars:sourcepath + BASH_ALIASES=() + BASH_ARGC=() + BASH_ARGV=() + BASH_CMDS=() + BASH_LINENO=([0]="12" [1]="0") + BASH_LOADABLES_PATH=/usr/local/lib/bash:/usr/lib/bash:/opt/local/lib/bash:/usr/pkg/lib/bash:/opt/pkg/lib/bash:. + BASH_SOURCE=([0]="/tmp/hooks/D02_print_environment" [1]="/tmp/hooks/D02_print_environment") + BASH_VERSINFO=([0]="5" [1]="3" [2]="3" [3]="1" [4]="release" [5]="x86_64-pc-linux-gnu") + BASH_VERSION='5.3.3(1)-release' + BUILDDIR=/build/reproducible-path + BUILDUSERGECOS='second user,second room,second work-phone,second home-phone,second other' + BUILDUSERNAME=pbuilder2 + BUILD_ARCH=amd64 + DEBIAN_FRONTEND=noninteractive + DEB_BUILD_OPTIONS='buildinfo=+all reproducible=+all parallel=40 nocheck' + DIRSTACK=() + DISTRIBUTION=forky + EUID=0 + FUNCNAME=([0]="Echo" [1]="main") + GROUPS=() + HOME=/root + HOSTNAME=i-capture-the-hostname + HOSTTYPE=x86_64 + HOST_ARCH=amd64 IFS=' ' - INVOCATION_ID='e8b46637f48c4de29da87c6eebbb569e' - LANG='C' - LANGUAGE='en_US:en' - LC_ALL='C' - MAIL='/var/mail/root' - OPTIND='1' - PATH='/usr/sbin:/usr/bin:/sbin:/bin:/usr/games' - PBCURRENTCOMMANDLINEOPERATION='build' - PBUILDER_OPERATION='build' - PBUILDER_PKGDATADIR='/usr/share/pbuilder' - PBUILDER_PKGLIBDIR='/usr/lib/pbuilder' - PBUILDER_SYSCONFDIR='/etc' - PPID='2961436' - PS1='# ' - PS2='> ' + INVOCATION_ID=fef4b55b24c14647a524efb473f3e0cf + LANG=C + LANGUAGE=et_EE:et + LC_ALL=C + MACHTYPE=x86_64-pc-linux-gnu + MAIL=/var/mail/root + OPTERR=1 + OPTIND=1 + OSTYPE=linux-gnu + PATH=/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/i/capture/the/path + PBCURRENTCOMMANDLINEOPERATION=build + PBUILDER_OPERATION=build + PBUILDER_PKGDATADIR=/usr/share/pbuilder + PBUILDER_PKGLIBDIR=/usr/lib/pbuilder + PBUILDER_SYSCONFDIR=/etc + PIPESTATUS=([0]="0") + POSIXLY_CORRECT=y + PPID=2084161 PS4='+ ' - PWD='/' - SHELL='/bin/bash' - SHLVL='2' - SUDO_COMMAND='/usr/bin/timeout -k 18.1h 18h /usr/bin/ionice -c 3 /usr/bin/nice /usr/sbin/pbuilder --build --configfile /srv/reproducible-results/rbuild-debian/r-b-build.MPviZuGm/pbuilderrc_S9WK --distribution forky --hookdir /etc/pbuilder/first-build-hooks --debbuildopts -b --basetgz /var/cache/pbuilder/forky-reproducible-base.tgz --buildresult /srv/reproducible-results/rbuild-debian/r-b-build.MPviZuGm/b1 --logfile b1/build.log node-sanitize-html_2.14.0+~2.13.0-1.dsc' - SUDO_GID='111' - SUDO_HOME='/var/lib/jenkins' - SUDO_UID='106' - SUDO_USER='jenkins' - TERM='unknown' - TZ='/usr/share/zoneinfo/Etc/GMT+12' - USER='root' - _='/usr/bin/systemd-run' - http_proxy='http://213.165.73.152:3128' + PWD=/ + SHELL=/bin/bash + SHELLOPTS=braceexpand:errexit:hashall:interactive-comments:posix + SHLVL=3 + SUDO_COMMAND='/usr/bin/timeout -k 24.1h 24h /usr/bin/ionice -c 3 /usr/bin/nice -n 11 /usr/bin/unshare --uts -- /usr/sbin/pbuilder --build --configfile /srv/reproducible-results/rbuild-debian/r-b-build.MPviZuGm/pbuilderrc_SUZr --distribution forky --hookdir /etc/pbuilder/rebuild-hooks --debbuildopts -b --basetgz /var/cache/pbuilder/forky-reproducible-base.tgz --buildresult /srv/reproducible-results/rbuild-debian/r-b-build.MPviZuGm/b2 --logfile b2/build.log node-sanitize-html_2.14.0+~2.13.0-1.dsc' + SUDO_GID=110 + SUDO_HOME=/var/lib/jenkins + SUDO_UID=105 + SUDO_USER=jenkins + TERM=unknown + TZ=/usr/share/zoneinfo/Etc/GMT-14 + UID=0 + USER=root + _='I: set' + http_proxy=http://46.16.76.132:3128 I: uname -a - Linux ionos15-amd64 6.12.48+deb13-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.12.48-1 (2025-09-20) x86_64 GNU/Linux + Linux i-capture-the-hostname 6.12.48+deb13-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.12.48-1 (2025-09-20) x86_64 GNU/Linux I: ls -l /bin - lrwxrwxrwx 1 root root 7 Aug 10 2025 /bin -> usr/bin -I: user script /srv/workspace/pbuilder/2961436/tmp/hooks/D02_print_environment finished + lrwxrwxrwx 1 root root 7 Aug 10 12:30 /bin -> usr/bin +I: user script /srv/workspace/pbuilder/2084161/tmp/hooks/D02_print_environment finished -> Attempting to satisfy build-dependencies -> Creating pbuilder-satisfydepends-dummy package Package: pbuilder-satisfydepends-dummy @@ -480,7 +512,7 @@ Get: 352 http://deb.debian.org/debian forky/main amd64 node-path-to-regexp all 8.3.0-1 [17.7 kB] Get: 353 http://deb.debian.org/debian forky/main amd64 node-type-detect all 4.0.8-4 [11.0 kB] Get: 354 http://deb.debian.org/debian forky/main amd64 node-sinon all 18.0.0+ds2+~cs75.4.16-1 [223 kB] -Fetched 51.8 MB in 1s (83.9 MB/s) +Fetched 51.8 MB in 29s (1803 kB/s) Preconfiguring packages ... Selecting previously unselected package netbase. (Reading database ... (Reading database ... 5% (Reading database ... 10% (Reading database ... 15% (Reading database ... 20% (Reading database ... 25% (Reading database ... 30% (Reading database ... 35% (Reading database ... 40% (Reading database ... 45% (Reading database ... 50% (Reading database ... 55% (Reading database ... 60% (Reading database ... 65% (Reading database ... 70% (Reading database ... 75% (Reading database ... 80% (Reading database ... 85% (Reading database ... 90% (Reading database ... 95% (Reading database ... 100% (Reading database ... 19862 files and directories currently installed.) @@ -1924,7 +1956,11 @@ Building tag database... -> Finished parsing the build-deps I: Building the package -I: Running cd /build/reproducible-path/node-sanitize-html-2.14.0+~2.13.0/ && env PATH="/usr/sbin:/usr/bin:/sbin:/bin:/usr/games" HOME="/nonexistent/first-build" dpkg-buildpackage -us -uc -b && env PATH="/usr/sbin:/usr/bin:/sbin:/bin:/usr/games" HOME="/nonexistent/first-build" dpkg-genchanges -S > ../node-sanitize-html_2.14.0+~2.13.0-1_source.changes +I: user script /srv/workspace/pbuilder/2084161/tmp/hooks/A99_set_merged_usr starting +Not re-configuring usrmerge for forky +I: user script /srv/workspace/pbuilder/2084161/tmp/hooks/A99_set_merged_usr finished +hostname: Name or service not known +I: Running cd /build/reproducible-path/node-sanitize-html-2.14.0+~2.13.0/ && env PATH="/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/i/capture/the/path" HOME="/nonexistent/second-build" dpkg-buildpackage -us -uc -b && env PATH="/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/i/capture/the/path" HOME="/nonexistent/second-build" dpkg-genchanges -S > ../node-sanitize-html_2.14.0+~2.13.0-1_source.changes dpkg-buildpackage: info: source package node-sanitize-html dpkg-buildpackage: info: source version 2.14.0+~2.13.0-1 dpkg-buildpackage: info: source distribution unstable @@ -1948,406 +1984,12 @@ dh_update_autotools_config dh_autoreconf dh_auto_configure --buildsystem=nodejs -Link ./node_modules/htmlparser2 -> /usr/share/nodejs/htmlparser2 +Skipping htmlparser2 link Link node_modules/@types/sanitize-html -> ../../types-sanitize-html dh_auto_build --buildsystem=nodejs No build command found, searching known files No build command found, searching known files - dh_auto_test --buildsystem=nodejs - ln -s ../. node_modules/sanitize-html - /bin/sh -ex debian/tests/pkg-js/test -+ mocha test/test.js - - - sanitizeHtml - undefined should be successfully initialized (46ms) - undefined should escape self closing tags - undefined should handle numbers as strings - undefined should pass through simple, well-formed markup - undefined should not pass through any text outside html tag boundary since html tag is found and option is ON - undefined should pass through text outside html tag boundary since option is OFF - undefined should pass through text outside html tag boundary since option is ON but html tag is not found - - -⚠️ Your `allowedTags` option includes, `script`, which is inherently -vulnerable to XSS attacks. Please remove it from `allowedTags`. -Or, to disable this warning, add the `allowVulnerableTags` option -and ensure you are accounting for this risk. - - - - -⚠️ Your `allowedTags` option includes, `style`, which is inherently -vulnerable to XSS attacks. Please remove it from `allowedTags`. -Or, to disable this warning, add the `allowVulnerableTags` option -and ensure you are accounting for this risk. - - - undefined should pass through all markup if allowedTags and allowedAttributes are set to false - undefined should not pass through any markup if allowedTags is set to undefined (falsy but not exactly false) - undefined should not pass through any markup if allowedTags is set to 0 (falsy but not exactly false) - undefined should not pass through any markup if allowedTags is set to null (falsy but not exactly false) - undefined should not pass through any markup if allowedTags is set to empty string (falsy but not exactly false) - undefined should respect text nodes at top level - undefined should return an empty string when input is explicit "undefined" - undefined should return an empty string when input is explicit "null" - undefined should return an empty string when input is not provided - undefined should return an empty string when input is an empty string - undefined should reject markup not allowlisted without destroying its text - undefined should escape markup not allowlisted - undefined should accept a custom list of allowed tags - undefined should reject attributes not allowlisted - undefined should accept a custom list of allowed attributes per element - undefined should clean up unclosed img tags and p tags - undefined should reject hrefs that are not relative, ftp, http, https or mailto - undefined should cope identically with capitalized attributes and tags and should tolerate capitalized schemes - undefined should drop the content of script elements - undefined should drop the content of style elements - undefined should drop the content of textarea elements - undefined should drop the content of option elements - undefined should drop the content of textarea elements but keep the closing parent tag, when nested - undefined should retain the content of fibble elements by default - undefined should discard the content of fibble elements if specified for nonTextTags - undefined should retain allowed tags within a fibble element if fibble is not specified for nonTextTags - undefined should discard allowed tags within a fibble element if fibble is specified for nonTextTags - undefined should preserve textarea content if textareas are allowed - undefined should preserve entities as such - undefined should dump closing tags which do not have any opening tags. - undefined should tolerate not closed p tags - undefined should escape not closed p tags, if not in allowedTags array - undefined should dump comments - undefined should dump a sneaky encoded javascript url - undefined should dump an uppercase javascript url - undefined should dump a javascript URL with a comment in the middle (probably only respected by browsers in XML data islands, but just in case someone enables those) - undefined should not mess up a hashcode with a : in it - undefined should dump character codes 1-32 before testing scheme - undefined should still like nice schemes - undefined should still like nice relative URLs - undefined should replace ol to ul - undefined should replace ol to ul and add class attribute with foo value - undefined should replace ol to ul, left attributes foo and bar untouched, remove baz attribute and add class attributte with foo value - undefined should replace ol to ul and replace all attributes to class attribute with foo value - undefined should replace ol to ul and add attribute class with foo value and attribute bar with bar value - undefined should replace text and attributes when they are changed by transforming function - undefined should replace text and attributes when they are changed by transforming function and textFilter is set - undefined should replace text and attributes when they are changed by transforming function and textFilter is not set - undefined should preserve trailing text when replacing the tagName and adding new text via transforming function - undefined should add new text when not initially set and replace attributes when they are changed by transforming function - undefined should preserve text when initially set and replace attributes when they are changed by transforming function - undefined should skip an empty link - undefined Should expose a node's inner text and inner HTML to the filter - undefined Should collapse nested empty elements - undefined Should find child media elements that are in allowedTags - undefined Exclusive filter should not affect elements which do not match the filter condition - undefined should disallow data URLs with default allowedSchemes - undefined should allow data URLs with custom allowedSchemes - undefined should allow specific classes when allowlisted with allowedClasses for a single tag - undefined should allow specific classes when allowlisted with allowedClasses for all tags - undefined should allow all classes that are allowlisted for a single tag or all tags - undefined should allow classes that match wildcards for a single tag or all tags - undefined should allow all classes if `allowedClasses` contains a single `*` - undefined should allow all classes for a single tag if `allowedClasses` for the tag is false - undefined should allow only classes that matches `allowedClasses` regex - undefined should allow classes that match `allowedClasses` regex for all tags - undefined should allow defining schemes on a per-tag basis - undefined should not act weird when the class attribute is empty - undefined should not crash on bad markup - undefined should not allow a naked = sign followed by an unrelated attribute to result in one merged attribute with unescaped double quote marks - - -⚠️ Your `allowedTags` option includes, `style`, which is inherently -vulnerable to XSS attacks. Please remove it from `allowedTags`. -Or, to disable this warning, add the `allowVulnerableTags` option -and ensure you are accounting for this risk. - - - undefined should deliver a warning if using vulnerable tags - undefined should not deliver a warning if using the allowVulnerableTags option - undefined should allow only approved attributes, but to any tags, if tag is declared as "*" - undefined should not filter if exclusive filter does not match after transforming tags - undefined should filter if exclusive filter does match after transforming tags - undefined should allow transform on all tags using '*' - undefined should not be faked out by double < - undefined should allow attributes to be specified as globs - undefined should quote regex chars in attributes specified as globs - - -⚠️ Your `allowedTags` option includes, `script`, which is inherently -vulnerable to XSS attacks. Please remove it from `allowedTags`. -Or, to disable this warning, add the `allowVulnerableTags` option -and ensure you are accounting for this risk. - - - - -⚠️ Your `allowedTags` option includes, `style`, which is inherently -vulnerable to XSS attacks. Please remove it from `allowedTags`. -Or, to disable this warning, add the `allowVulnerableTags` option -and ensure you are accounting for this risk. - - - undefined should not escape inner content of script and style tags (when allowed) - - -⚠️ Your `allowedTags` option includes, `script`, which is inherently -vulnerable to XSS attacks. Please remove it from `allowedTags`. -Or, to disable this warning, add the `allowVulnerableTags` option -and ensure you are accounting for this risk. - - - undefined should not unescape escapes found inside script tags - undefined should process text nodes with provided function - undefined should skip text nodes based on tagName - - -⚠️ Your `allowedTags` option includes, `script`, which is inherently -vulnerable to XSS attacks. Please remove it from `allowedTags`. -Or, to disable this warning, add the `allowVulnerableTags` option -and ensure you are accounting for this risk. - - - - -⚠️ Your `allowedTags` option includes, `style`, which is inherently -vulnerable to XSS attacks. Please remove it from `allowedTags`. -Or, to disable this warning, add the `allowVulnerableTags` option -and ensure you are accounting for this risk. - - - - -⚠️ Your `allowedTags` option includes, `script`, which is inherently -vulnerable to XSS attacks. Please remove it from `allowedTags`. -Or, to disable this warning, add the `allowVulnerableTags` option -and ensure you are accounting for this risk. - - - - -⚠️ Your `allowedTags` option includes, `style`, which is inherently -vulnerable to XSS attacks. Please remove it from `allowedTags`. -Or, to disable this warning, add the `allowVulnerableTags` option -and ensure you are accounting for this risk. - - - undefined should respect htmlparser2 options when passed in - undefined should not crash due to tag names that are properties of the universal Object prototype - undefined should correctly maintain escaping when allowing a nonTextTags tag other than script or style - undefined should allow protocol relative links by default - undefined should not allow protocol relative links when allowProtocolRelative is false - undefined should still allow regular relative URLs when allowProtocolRelative is false -Invalid srcset descriptor found in 'foo.jpg 100w 2x, bar.jpg 200w 1x' at '2x'. -Invalid srcset descriptor found in 'foo.jpg 100w 2x, bar.jpg 200w 1x' at '1x'. - undefined should discard srcset by default - undefined should accept srcset if allowed - undefined should drop bogus srcset - undefined should accept srcset with urls containing commas - undefined text from transformTags should not specify tags - undefined drop attribute names with meta-characters - - -⚠️ Your `allowedTags` option includes, `script`, which is inherently -vulnerable to XSS attacks. Please remove it from `allowedTags`. -Or, to disable this warning, add the `allowVulnerableTags` option -and ensure you are accounting for this risk. - - - - -⚠️ Your `allowedTags` option includes, `style`, which is inherently -vulnerable to XSS attacks. Please remove it from `allowedTags`. -Or, to disable this warning, add the `allowVulnerableTags` option -and ensure you are accounting for this risk. - - - undefined should sanitize styles correctly - - -⚠️ Your `allowedTags` option includes, `script`, which is inherently -vulnerable to XSS attacks. Please remove it from `allowedTags`. -Or, to disable this warning, add the `allowVulnerableTags` option -and ensure you are accounting for this risk. - - - - -⚠️ Your `allowedTags` option includes, `style`, which is inherently -vulnerable to XSS attacks. Please remove it from `allowedTags`. -Or, to disable this warning, add the `allowVulnerableTags` option -and ensure you are accounting for this risk. - - - undefined Should remove empty style tags - - -⚠️ Your `allowedTags` option includes, `script`, which is inherently -vulnerable to XSS attacks. Please remove it from `allowedTags`. -Or, to disable this warning, add the `allowVulnerableTags` option -and ensure you are accounting for this risk. - - - - -⚠️ Your `allowedTags` option includes, `style`, which is inherently -vulnerable to XSS attacks. Please remove it from `allowedTags`. -Or, to disable this warning, add the `allowVulnerableTags` option -and ensure you are accounting for this risk. - - - undefined Should remove invalid styles - - -⚠️ Your `allowedTags` option includes, `script`, which is inherently -vulnerable to XSS attacks. Please remove it from `allowedTags`. -Or, to disable this warning, add the `allowVulnerableTags` option -and ensure you are accounting for this risk. - - - - -⚠️ Your `allowedTags` option includes, `style`, which is inherently -vulnerable to XSS attacks. Please remove it from `allowedTags`. -Or, to disable this warning, add the `allowVulnerableTags` option -and ensure you are accounting for this risk. - - - undefined Should ignore styles when options.parseStyleAttributes is false - - -⚠️ Your `allowedTags` option includes, `script`, which is inherently -vulnerable to XSS attacks. Please remove it from `allowedTags`. -Or, to disable this warning, add the `allowVulnerableTags` option -and ensure you are accounting for this risk. - - - - -⚠️ Your `allowedTags` option includes, `style`, which is inherently -vulnerable to XSS attacks. Please remove it from `allowedTags`. -Or, to disable this warning, add the `allowVulnerableTags` option -and ensure you are accounting for this risk. - - - undefined Should throw an error if both allowedStyles is set and && parseStyleAttributes is set to false - - -⚠️ Your `allowedTags` option includes, `script`, which is inherently -vulnerable to XSS attacks. Please remove it from `allowedTags`. -Or, to disable this warning, add the `allowVulnerableTags` option -and ensure you are accounting for this risk. - - - - -⚠️ Your `allowedTags` option includes, `style`, which is inherently -vulnerable to XSS attacks. Please remove it from `allowedTags`. -Or, to disable this warning, add the `allowVulnerableTags` option -and ensure you are accounting for this risk. - - - undefined Should support !important styles - - -⚠️ Your `allowedTags` option includes, `script`, which is inherently -vulnerable to XSS attacks. Please remove it from `allowedTags`. -Or, to disable this warning, add the `allowVulnerableTags` option -and ensure you are accounting for this risk. - - - - -⚠️ Your `allowedTags` option includes, `style`, which is inherently -vulnerable to XSS attacks. Please remove it from `allowedTags`. -Or, to disable this warning, add the `allowVulnerableTags` option -and ensure you are accounting for this risk. - - - undefined Should allow a specific style from global - undefined should delete the script tag - undefined should delete the script tag since src is not a valid URL - - -⚠️ Your `allowedTags` option includes, `script`, which is inherently -vulnerable to XSS attacks. Please remove it from `allowedTags`. -Or, to disable this warning, add the `allowVulnerableTags` option -and ensure you are accounting for this risk. - - - undefined Should allow domains in a script that are in allowedScriptDomains - undefined should delete the script tag content - undefined should delete the script tag content from script tags with no src when allowedScriptHostnames is present - undefined should delete the script tag content from script tags with no src when allowedScriptDomains is present - undefined Should allow hostnames in a script that are in allowedScriptHostnames - undefined Should allow hostnames in an iframe that are in allowedIframeHostnames - undefined Should remove iframe src urls that are not included in allowedIframeHostnames - undefined Should not allow iframe urls that do not have proper hostname - undefined Should allow iframe through if no hostname option is set - undefined Should allow domains in an iframe that are in allowedIframeDomains - undefined Should allow second-level domains in an iframe that are in allowedIframeDomains - undefined Should remove iframe src urls that are not included in allowedIframeDomains - undefined Should remove iframe src urls with host that ends as allowed domains but not preceded with a dot - undefined Should allow hostnames in an iframe that are in allowedIframeHostnames and are not in allowedIframeDomains - undefined Should allow hostnames in an iframe that are not in allowedIframeHostnames and are allowlisted in allowedIframeDomains - undefined Should allow relative URLs for iframes by default - undefined Should allow relative URLs for iframes - undefined Should remove relative URLs for iframes - undefined Should remove relative URLs for iframes when other hostnames are specified in allowedIframeHostnames - undefined Should allow relative and allowlisted hostname URLs for iframes - undefined Should allow protocol-relative URLs for the right domain for iframes - undefined Should not allow protocol-relative iframe urls that do not have proper hostname - undefined Should only allow attributes to have any combination of specific values - undefined Should only allow attributes that match a specific value - undefined Should not allow cite urls that do not have an allowed scheme - undefined Should encode &, <, > and where necessary, " - undefined Should not pass through &0; unescaped if decodeEntities is true (the default) - undefined Should not double encode ampersands on HTML entities if decodeEntities is false (TODO more tests, this is too loose to rely upon) - undefined should escape markup not allowlisted and all its children in recursive mode - undefined should escape markup not allowlisted and but not its children - undefined should escape markup even when deocdeEntities is false - undefined should escape markup not allowlisted even within allowed markup - undefined should escape markup not allowlisted even within allowed markup, but not the allowed markup itself - undefined allows markup of depth 6 with a nestingLimit of depth 6 - undefined disallows markup of depth 7 with a nestingLimit of depth 6 - undefined should not allow simple append attacks on iframe hostname validation - undefined should not allow IDNA (Internationalized Domain Name) iframe validation bypass attacks - undefined should parse path-rooted relative URLs sensibly - undefined should parse bare relative URLs sensibly - undefined should parse ../ relative URLs sensibly - undefined should parse protocol relative URLs sensibly - undefined should reject attempts to hack our use of a relative: protocol in our test base URL - undefined Should prevent hostname bypass using protocol-relative src - - -⚠️ Your `allowedTags` option includes, `script`, which is inherently -vulnerable to XSS attacks. Please remove it from `allowedTags`. -Or, to disable this warning, add the `allowVulnerableTags` option -and ensure you are accounting for this risk. - - - undefined Should allow protocol-relative URLs for script tag - undefined should not automatically attach close tag for escaped tags in escape mode - undefined should not automatically attach close tag for escaped tags in recursiveEscape mode - undefined should discard unclosed disallowed tags - undefined should remove non-boolean attributes that are empty - undefined should not remove non-boolean attributes that are empty when disabled - undefined should not remove boolean attributes that are empty - undefined should remove boolean attributes that are empty when wildcard * passed in - undefined should not remove empty alt attribute value by default - undefined should convert the implicit empty alt attribute value to be an empty string by default - undefined should not remove empty alt attribute value by default when an empty nonBooleanAttributes option passed in - undefined should not remove the empty attributes specified in allowedEmptyAttributes option - undefined should remove all the empty attributes when an empty allowedEmptyAttributes option passed in - undefined should support SVG tags - undefined should not process style sourceMappingURL with postCSS - undefined should completely remove disallowed tags with nested content - undefined should remove top level tag's content - undefined should completely remove disallowed tag with unclosed tag - undefined should transform text content of tags even if they originally had none - - - 173 passing (157ms) - -Removing node_modules/sanitize-html +dh: command-omitted: The call to "dh_auto_test" was omitted due to "DEB_BUILD_OPTIONS=nocheck" create-stamp debian/debhelper-build-stamp dh_prep dh_auto_install --buildsystem=nodejs --destdir=debian/node-sanitize-html/ @@ -2391,12 +2033,14 @@ dpkg-buildpackage: info: binary-only upload (no source included) dpkg-genchanges: info: including full source code in upload I: copying local configuration +I: user script /srv/workspace/pbuilder/2084161/tmp/hooks/B01_cleanup starting +I: user script /srv/workspace/pbuilder/2084161/tmp/hooks/B01_cleanup finished I: unmounting dev/ptmx filesystem I: unmounting dev/pts filesystem I: unmounting dev/shm filesystem I: unmounting proc filesystem I: unmounting sys filesystem I: cleaning the build env -I: removing directory /srv/workspace/pbuilder/2961436 and its subdirectories -I: Current time: Sun Dec 13 16:44:42 -12 2026 -I: pbuilder-time-stamp: 1797223482 +I: removing directory /srv/workspace/pbuilder/2084161 and its subdirectories +I: Current time: Tue Nov 11 12:25:21 +14 2025 +I: pbuilder-time-stamp: 1762813521