fix(marketing): bento autoescape + dead col-span + test gaps

- Pipe macro title/description through | safe to render NBSP/& correctly (autoescape was producing literal '95 %+' and 'Q&R' text on screen) - Replace dynamic col-span-{{ span }} with static lookup table so Tailwind scanner generates the utilities for A-2.7+ reuse - Replace inline border style with border-white/[0.045] utility (codebase consistency) - Add explicit Q&R assertion + autoescape regression guard test
2026-04-27 18:19:56 -04:00
parent 775075d1ea
commit b87f35ea4a
3 changed files with 39 additions and 5 deletions
--- a/static/css/marketing.css
+++ b/static/css/marketing.css
@@ -497,6 +497,9 @@
  .z-\[9999\] {
    z-index: 9999;
  }
+  .col-span-1 {
+    grid-column: span 1 / span 1;
+  }
  .container {
    width: 100%;
    @media (width >= 40rem) {
@@ -3669,6 +3672,11 @@
      opacity: 50%;
    }
  }
+  .sm\:col-span-2 {
+    @media (width >= 40rem) {
+      grid-column: span 2 / span 2;
+    }
+  }
  .sm\:-mx-6 {
    @media (width >= 40rem) {
      margin-inline: calc(var(--spacing) * -6);
@@ -4000,6 +4008,11 @@
      }
    }
  }
+  .md\:col-span-3 {
+    @media (width >= 48rem) {
+      grid-column: span 3 / span 3;
+    }
+  }
  .md\:mb-2 {
    @media (width >= 48rem) {
      margin-bottom: calc(var(--spacing) * 2);
--- a/templates/macros/bento.html
+++ b/templates/macros/bento.html
@@ -1,12 +1,14 @@
-{# Reusable bento card macro. FlexiHub style: dark navy2 surface, decorative watermark number, gradient icon corner. #}
+{# Reusable bento card macro. FlexiHub style: dark navy2 surface, decorative watermark number, gradient icon corner.
+   `span` controls column span via a static lookup table (Tailwind's content scanner only sees literal class strings,
+   so dynamic `col-span-{{ span }}` would produce dead classes — the lookup keeps the utilities discoverable). #}
 {% macro bento_card(number, title, description, icon='✦', span='1') %}
-<div class="relative bg-brand-navy2 p-6 rounded-[18px] overflow-hidden col-span-{{ span }}"
-     style="border: 1px solid rgba(255,255,255,0.045)">
+{%- set span_classes = {'1': 'col-span-1', '2': 'sm:col-span-2', '3': 'sm:col-span-2 md:col-span-3'} -%}
+<div class="relative bg-brand-navy2 p-6 rounded-[18px] overflow-hidden border border-white/[0.045] {{ span_classes.get(span, 'col-span-1') }}">
  <div class="absolute top-2 right-4 text-[80px] font-black text-white/[0.04]" aria-hidden="true">{{ number }}</div>
  <div class="relative">
    <div class="w-10 h-10 grad-bg rounded-[0.5rem] mb-4 flex items-center justify-center text-lg">{{ icon }}</div>
-    <h3 class="text-lg font-bold mb-2 text-white">{{ title }}</h3>
-    <p class="text-sm text-white/70">{{ description }}</p>
+    <h3 class="text-lg font-bold mb-2 text-white">{{ title | safe }}</h3>
+    <p class="text-sm text-white/70">{{ description | safe }}</p>
  </div>
 </div>
 {% endmacro %}
--- a/tests/test_marketing_landing_template.py
+++ b/tests/test_marketing_landing_template.py
@@ -255,6 +255,8 @@ def test_bento_has_6_features():
    # Watermark numbers 01..06
    for n in ['01', '02', '03', '04', '05', '06']:
        assert f'>{n}<' in body, f"Missing bento watermark number {n}"
+    # Card 04 must use French Q&R, not English Q&A — primary identifier check
+    assert 'Q&amp;R' in body or 'Q&R' in body, "Card 04 must use French Q&R, not Q&A"


 def test_bento_uses_flexihub_styling():
@@ -281,3 +283,20 @@ def test_bento_uses_wcag_safe_text_on_dark():
    client = app.test_client()
    body = client.get('/').data.decode('utf-8')
    assert 'text-white/70' in body, "Missing WCAG-safe /70 text opacity on dark cards"
+
+
+def test_bento_renders_nbsp_entities_not_escaped():
+    """Card 01 '95 %+' NBSP must render as a non-breaking space, not as literal '&nbsp;' text.
+
+    Regression guard: if the bento macro stops piping description through `| safe`,
+    Jinja autoescape will double-escape '&nbsp;' to '&amp;nbsp;' and users see the
+    raw entity. The HTML response must contain the literal '95&nbsp;%+' once
+    (single escape), never '95&amp;nbsp;%+'.
+    """
+    client = app.test_client()
+    body = client.get('/').data.decode('utf-8')
+    assert '95&nbsp;%+' in body, "NBSP entity should appear single-escaped in card 01"
+    assert '95&amp;nbsp;' not in body, "NBSP entity must not be double-escaped (missing | safe?)"
+    # Q&R card title: French ampersand must survive as &amp; in HTML, not &amp;amp;
+    assert 'Q&amp;R' in body, "Q&R title should appear single-escaped"
+    assert 'Q&amp;amp;R' not in body, "Q&R title must not be double-escaped"