From 95305d5e6233c2b0abf1920e4a1c5d7d07c32b30 Mon Sep 17 00:00:00 2001
From: Asherah Connor <aconnor@gitlab.com>
Date: Mon, 1 Dec 2025 16:29:21 +1100
Subject: [PATCH 1/4] Remove deckar01-task_list; remove formatting from task
 item system notes

We used to include the Markdown from the entire original line of input
right here, allowing user formatting to become permanently part of the
system note. You could also trivially break formatting in system notes
this way, with unpredictable results.

As of this change, system notes for task item status changes ("marked
the checklist item XYZ as completed" and "as incomplete") no longer
contain formatting from the task item, and only contain the textual
contents.

Changelog: changed
---
 Gemfile                                       |  1 -
 Gemfile.checksum                              |  1 -
 Gemfile.lock                                  |  3 -
 Gemfile.next.checksum                         |  1 -
 Gemfile.next.lock                             |  3 -
 app/models/concerns/taskable.rb               | 71 ++++++++--------
 .../system_notes/issuables_service.rb         |  4 +-
 app/services/task_list_toggle_service.rb      |  2 +-
 lib/banzai/filter/task_list_filter.rb         | 84 +++++++++++--------
 spec/frontend/merge_request_spec.js           |  1 -
 spec/models/concerns/taskable_spec.rb         | 74 ++++++++++++++--
 .../system_notes/issuables_service_spec.rb    | 28 ++++++-
 12 files changed, 179 insertions(+), 94 deletions(-)

diff --git a/Gemfile b/Gemfile
index 16996184acd846..5bf41a96e12473 100644
--- a/Gemfile
+++ b/Gemfile
@@ -253,7 +253,6 @@ gem 'gitlab-active-context', path: 'gems/gitlab-active-context', require: 'activ
 
 # Markdown and HTML processing
 gem 'html-pipeline', '~> 2.14.3', feature_category: :markdown
-gem 'deckar01-task_list', '2.3.4', feature_category: :markdown
 gem 'gitlab-markup', '~> 2.0.0', require: 'github/markup', feature_category: :markdown
 gem 'commonmarker', '~> 0.23.10', feature_category: :markdown
 gem 'kramdown', '~> 2.5.0', feature_category: :markdown
diff --git a/Gemfile.checksum b/Gemfile.checksum
index 3e61bce04dc5f3..a760be397c0b6c 100644
--- a/Gemfile.checksum
+++ b/Gemfile.checksum
@@ -110,7 +110,6 @@
 {"name":"deb_version","version":"1.0.2","platform":"ruby","checksum":"c21f911d7f2fd1d61219caae254fc078e6598e477fdff8a05a18bec6c72ee713"},
 {"name":"debug","version":"1.11.0","platform":"ruby","checksum":"1425db64cfa0130c952684e3dc974985be201dd62899bf4bbe3f8b5d6cf1aef2"},
 {"name":"debug_inspector","version":"1.1.0","platform":"ruby","checksum":"eaa5a2d0195e1d65fb4164e8e7e466cca2e7eb53bc5e608cf12b8bf02c3a8606"},
-{"name":"deckar01-task_list","version":"2.3.4","platform":"ruby","checksum":"66abdc7e009ea759732bb53867e1ea42de550e2aa03ac30a015cbf42a04c1667"},
 {"name":"declarative","version":"0.0.20","platform":"ruby","checksum":"8021dd6cb17ab2b61233c56903d3f5a259c5cf43c80ff332d447d395b17d9ff9"},
 {"name":"declarative_policy","version":"2.0.1","platform":"ruby","checksum":"5ac5a67fc87edad6ef89b12ff8916520c8d11cb95e16529c259c93ef0ec3e6e8"},
 {"name":"deprecation_toolkit","version":"2.2.4","platform":"ruby","checksum":"b1dad75eaeccd22327ee98f6a0b9d4dcd2e13274ff9069cf6b31d9879dcb2526"},
diff --git a/Gemfile.lock b/Gemfile.lock
index 41844da2d6da0e..16c28c81d5d844 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -497,8 +497,6 @@ GEM
       irb (~> 1.10)
       reline (>= 0.3.8)
     debug_inspector (1.1.0)
-    deckar01-task_list (2.3.4)
-      html-pipeline (~> 2.0)
     declarative (0.0.20)
     declarative_policy (2.0.1)
     deprecation_toolkit (2.2.4)
@@ -2130,7 +2128,6 @@ DEPENDENCIES
   cvss-suite (~> 3.3.0)
   database_cleaner-active_record (~> 2.2.0)
   debug (~> 1.11.0)
-  deckar01-task_list (= 2.3.4)
   declarative_policy (~> 2.0.1)
   deprecation_toolkit (~> 2.2.3)
   derailed_benchmarks
diff --git a/Gemfile.next.checksum b/Gemfile.next.checksum
index 3e61bce04dc5f3..a760be397c0b6c 100644
--- a/Gemfile.next.checksum
+++ b/Gemfile.next.checksum
@@ -110,7 +110,6 @@
 {"name":"deb_version","version":"1.0.2","platform":"ruby","checksum":"c21f911d7f2fd1d61219caae254fc078e6598e477fdff8a05a18bec6c72ee713"},
 {"name":"debug","version":"1.11.0","platform":"ruby","checksum":"1425db64cfa0130c952684e3dc974985be201dd62899bf4bbe3f8b5d6cf1aef2"},
 {"name":"debug_inspector","version":"1.1.0","platform":"ruby","checksum":"eaa5a2d0195e1d65fb4164e8e7e466cca2e7eb53bc5e608cf12b8bf02c3a8606"},
-{"name":"deckar01-task_list","version":"2.3.4","platform":"ruby","checksum":"66abdc7e009ea759732bb53867e1ea42de550e2aa03ac30a015cbf42a04c1667"},
 {"name":"declarative","version":"0.0.20","platform":"ruby","checksum":"8021dd6cb17ab2b61233c56903d3f5a259c5cf43c80ff332d447d395b17d9ff9"},
 {"name":"declarative_policy","version":"2.0.1","platform":"ruby","checksum":"5ac5a67fc87edad6ef89b12ff8916520c8d11cb95e16529c259c93ef0ec3e6e8"},
 {"name":"deprecation_toolkit","version":"2.2.4","platform":"ruby","checksum":"b1dad75eaeccd22327ee98f6a0b9d4dcd2e13274ff9069cf6b31d9879dcb2526"},
diff --git a/Gemfile.next.lock b/Gemfile.next.lock
index 41844da2d6da0e..16c28c81d5d844 100644
--- a/Gemfile.next.lock
+++ b/Gemfile.next.lock
@@ -497,8 +497,6 @@ GEM
       irb (~> 1.10)
       reline (>= 0.3.8)
     debug_inspector (1.1.0)
-    deckar01-task_list (2.3.4)
-      html-pipeline (~> 2.0)
     declarative (0.0.20)
     declarative_policy (2.0.1)
     deprecation_toolkit (2.2.4)
@@ -2130,7 +2128,6 @@ DEPENDENCIES
   cvss-suite (~> 3.3.0)
   database_cleaner-active_record (~> 2.2.0)
   debug (~> 1.11.0)
-  deckar01-task_list (= 2.3.4)
   declarative_policy (~> 2.0.1)
   deprecation_toolkit (~> 2.2.3)
   derailed_benchmarks
diff --git a/app/models/concerns/taskable.rb b/app/models/concerns/taskable.rb
index e34ef0e94a368c..76ec7512726d84 100644
--- a/app/models/concerns/taskable.rb
+++ b/app/models/concerns/taskable.rb
@@ -1,18 +1,21 @@
 # frozen_string_literal: true
 
-require 'task_list'
-require 'task_list/filter'
-
 # Contains functionality for objects that can have task lists in their
 # descriptions.  Task list items can be added with Markdown like "* [x] Fix
 # bugs".
 #
 # Used by MergeRequest and Issue
 module Taskable
+  # Model class for task items returned by Taskable.get_tasks, Taskable.get_updated_tasks, and
+  # #task_list_items on classes included by Taskable.
+  Item = Struct.new(:complete?, :text, :source)
+
   COMPLETED          = 'completed'
   INCOMPLETE         = 'incomplete'
   COMPLETE_PATTERN   = /\[[xX]\]/
   INCOMPLETE_PATTERN = /\[[[:space:]]\]/
+
+  # Used by TaskListToggleService and WorkItems::TaskListReferenceReplacementService.
   ITEM_PATTERN       = %r{
     ^
     (?:(?:>\s{0,4})*)               # optional blockquote characters
@@ -24,37 +27,22 @@ module Taskable
     (\s.+)                          # followed by whitespace and some text.
   }x
 
-  ITEM_PATTERN_UNTRUSTED =
-    '^' \
-    '(?:(?:>\s{0,4})*)' \
-    '(?P<prefix>(?:\s*(?:[-+*]|(?:\d+[.)])))+)' \
-    '\s+' \
-    '(?P<checkbox>' \
-    "#{COMPLETE_PATTERN.source}|#{INCOMPLETE_PATTERN.source}" \
-    ')' \
-    '(?P<label>\s.+)'.freeze
-
-  # ignore tasks in code or html comment blocks.  HTML blocks
-  # are ok as we allow tasks inside <detail> blocks
-  REGEX =
-    "#{::Gitlab::Regex.markdown_code_or_html_comments_untrusted}" \
-    "|" \
-    "(?P<task_item>" \
-    "#{ITEM_PATTERN_UNTRUSTED}" \
-    ")".freeze
-
   def self.get_tasks(content)
+    doc = Banzai::Pipeline::PlainMarkdownPipeline.call(content, {})[:output]
+
     items = []
+    doc.xpath(Banzai::Filter::TaskListFilter::XPATH).each do |node|
+      next if node.has_attribute?('data-inapplicable')
 
-    regex = Gitlab::UntrustedRegexp.new(REGEX, multiline: true)
-    regex.scan(content.to_s).each do |match|
-      next unless regex.extract_named_group(:task_item, match)
+      text = Banzai::Filter::TaskListFilter.text_for_task_item_from_input(node)
+      text = text.split('\n').first&.strip || ''
 
-      prefix = regex.extract_named_group(:prefix, match)
-      checkbox = regex.extract_named_group(:checkbox, match)
-      label = regex.extract_named_group(:label, match)
+      source = Banzai::Filter::TaskListFilter.text_html_for_task_item_from_input(node)
 
-      items << TaskList::Item.new("#{prefix.strip} #{checkbox}", label.strip)
+      items << Taskable::Item.new(
+        complete?: node.has_attribute?('checked'),
+        text: text,
+        source: source)
     end
 
     items
@@ -79,13 +67,17 @@ def task_list_items
     @task_list_items ||= Taskable.get_tasks(description) # rubocop:disable Gitlab/ModuleWithInstanceVariables
   end
 
-  def tasks
-    @tasks ||= TaskList.new(self)
+  def complete_task_list_item_count
+    task_list_items.count(&:complete?)
+  end
+
+  def incomplete_task_list_item_count
+    task_list_items.count { |i| !i.complete? }
   end
 
   # Return true if this object's description has any task list items.
   def tasks?
-    tasks.summary.items?
+    task_list_items.any?
   end
 
   # Return a string that describes the current state of this Taskable's task
@@ -93,14 +85,17 @@ def tasks?
   def task_status(short: false)
     return '' if description.blank?
 
-    sum = tasks.summary
-    checklist_item_noun = n_('checklist item', 'checklist items', sum.item_count)
+    checklist_item_noun = n_('checklist item', 'checklist items', task_list_items.count)
     if short
       format(s_('Tasks|%{complete_count}/%{total_count} %{checklist_item_noun}'),
-        checklist_item_noun: checklist_item_noun, complete_count: sum.complete_count, total_count: sum.item_count)
+        checklist_item_noun: checklist_item_noun,
+        complete_count: complete_task_list_item_count,
+        total_count: task_list_items.count)
     else
       format(s_('Tasks|%{complete_count} of %{total_count} %{checklist_item_noun} completed'),
-        checklist_item_noun: checklist_item_noun, complete_count: sum.complete_count, total_count: sum.item_count)
+        checklist_item_noun: checklist_item_noun,
+        complete_count: complete_task_list_item_count,
+        total_count: task_list_items.count)
     end
   end
 
@@ -112,8 +107,8 @@ def task_status_short
 
   def task_completion_status
     @task_completion_status ||= {
-      count: tasks.summary.item_count,
-      completed_count: tasks.summary.complete_count
+      count: task_list_items.count,
+      completed_count: complete_task_list_item_count
     }
   end
 end
diff --git a/app/services/system_notes/issuables_service.rb b/app/services/system_notes/issuables_service.rb
index 9243ca42bbd7f2..1442628853456c 100644
--- a/app/services/system_notes/issuables_service.rb
+++ b/app/services/system_notes/issuables_service.rb
@@ -289,7 +289,7 @@ def cross_reference_disallowed?(mentioned_in)
 
     # Called when the status of a Task has changed
     #
-    # new_task  - TaskList::Item object.
+    # new_task  - Taskable::Item object.
     #
     # Example Note text:
     #
@@ -298,7 +298,7 @@ def cross_reference_disallowed?(mentioned_in)
     # Returns the created Note object
     def change_task_status(new_task)
       status_label = new_task.complete? ? Taskable::COMPLETED : Taskable::INCOMPLETE
-      body = "marked the checklist item **#{new_task.source}** as #{status_label}"
+      body = "marked the checklist item **#{::GLFMMarkdown.escape_commonmark_inline(new_task.text)}** as #{status_label}"
 
       track_issue_event(:track_issue_description_changed_action)
 
diff --git a/app/services/task_list_toggle_service.rb b/app/services/task_list_toggle_service.rb
index 8e20ffc2a5249e..7d8b3316c0a184 100644
--- a/app/services/task_list_toggle_service.rb
+++ b/app/services/task_list_toggle_service.rb
@@ -38,7 +38,7 @@ def toggle_markdown
     return unless markdown_task.chomp == line_source
     return unless source_checkbox = Taskable::ITEM_PATTERN.match(markdown_task)
 
-    currently_checked = TaskList::Item.new(source_checkbox[2]).complete?
+    currently_checked = source_checkbox[2].match?(Taskable::COMPLETE_PATTERN)
 
     # Check `toggle_as_checked` to make sure we don't accidentally replace
     # any `[ ]` or `[x]` in the middle of the text
diff --git a/lib/banzai/filter/task_list_filter.rb b/lib/banzai/filter/task_list_filter.rb
index 0ec613889ba638..4dc8ff43993bd0 100644
--- a/lib/banzai/filter/task_list_filter.rb
+++ b/lib/banzai/filter/task_list_filter.rb
@@ -15,10 +15,7 @@ class TaskListFilter < HTML::Pipeline::Filter
 
       def call
         doc.xpath(XPATH).each do |node|
-          text_content = +''
-          yield_next_siblings_until(node, %w[ol ul]) do |el|
-            text_content << el.text
-          end
+          text_content = self.class.text_for_task_item_from_input(node)
           truncated_text_content = text_content.strip.truncate(100, separator: ' ', omission: '…')
           node['aria-label'] = format(_('Check option: %{option}'), option: truncated_text_content)
 
@@ -43,7 +40,7 @@ def call
           inapplicable_s = node.document.create_element('s')
           inapplicable_s['class'] = 'inapplicable'
 
-          yield_text_nodes_without_descending_into(space.next_sibling, %w[p div ul ol]) do |el|
+          self.class.yield_text_nodes_without_descending_into(space.next_sibling, %w[p div ul ol]) do |el|
             el.wrap(inapplicable_s)
           end
         end
@@ -51,36 +48,57 @@ def call
         doc
       end
 
-      # Yields the #next_sibling of start, and then the #next_sibling of that, until either
-      # there are no more next siblings or a matching element is encountered.
-      #
-      # The following #next_sibling is evaluated *before* each element is yielded, so they
-      # can safely be reparented or removed without affecting iteration.
-      def yield_next_siblings_until(start, els)
-        it = start.next_sibling
-        while it && els.exclude?(it.name)
-          following = it.next_sibling
-          yield it
-          it = following
+      class << self
+        # Gets the text for the task list item, given the <input> checkbox that declares it.
+        def text_for_task_item_from_input(input)
+          text_content = +''
+          yield_next_siblings_until(input, %w[ol ul]) do |el|
+            text_content << el.text
+          end
+          text_content
         end
-      end
 
-      # Starting from start, iteratively yield text nodes contained within its children,
-      # and its (repeated) #next_siblings and their children, not descending into any of
-      # the elements given by els.
-      #
-      # The following #next_sibling is evaluated before yielding, as above.
-      def yield_text_nodes_without_descending_into(start, els)
-        stack = [start]
-        while stack.any?
-          it = stack.pop
-
-          stack << it.next_sibling if it.next_sibling
-
-          if it.text?
-            yield it unless it.content.blank?
-          elsif els.exclude?(it.name)
-            stack.concat(it.children.reverse)
+        # Gets the HTML corresponding to the task list item text, given the <input> checkbox that declares it.
+        # This should be used for task list item matching **only**.
+        def text_html_for_task_item_from_input(input)
+          html_content = +''
+          yield_next_siblings_until(input, %w[ol ul]) do |el|
+            html_content << el.to_html
+          end
+          html_content
+        end
+
+        # Yields the #next_sibling of start, and then the #next_sibling of that, until either
+        # there are no more next siblings or a matching element is encountered.
+        #
+        # The following #next_sibling is evaluated *before* each element is yielded, so they
+        # can safely be reparented or removed without affecting iteration.
+        def yield_next_siblings_until(start, els)
+          it = start.next_sibling
+          while it && els.exclude?(it.name)
+            following = it.next_sibling
+            yield it
+            it = following
+          end
+        end
+
+        # Starting from start, iteratively yield text nodes contained within its children,
+        # and its (repeated) #next_siblings and their children, not descending into any of
+        # the elements given by els.
+        #
+        # The following #next_sibling is evaluated before yielding, as above.
+        def yield_text_nodes_without_descending_into(start, els)
+          stack = [start]
+          while stack.any?
+            it = stack.pop
+
+            stack << it.next_sibling if it.next_sibling
+
+            if it.text?
+              yield it unless it.content.blank?
+            elsif els.exclude?(it.name)
+              stack.concat(it.children.reverse)
+            end
           end
         end
       end
diff --git a/spec/frontend/merge_request_spec.js b/spec/frontend/merge_request_spec.js
index a119ca8272e74b..dada2dd94caf5d 100644
--- a/spec/frontend/merge_request_spec.js
+++ b/spec/frontend/merge_request_spec.js
@@ -49,7 +49,6 @@ describe('MergeRequest', () => {
     });
 
     it('ensure that task with only spaces does not get checked incorrectly', async () => {
-      // fixed in 'deckar01-task_list', '2.2.1' gem
       jest.spyOn($, 'ajax').mockImplementation();
       const changeEvent = document.createEvent('HTMLEvents');
       changeEvent.initEvent('change', true, true);
diff --git a/spec/models/concerns/taskable_spec.rb b/spec/models/concerns/taskable_spec.rb
index dad0db2d898b95..c855186be4ded5 100644
--- a/spec/models/concerns/taskable_spec.rb
+++ b/spec/models/concerns/taskable_spec.rb
@@ -11,8 +11,9 @@
         Any text before the list
         - [ ] First item
         - [x] Second item
-        * [x] First item
-        * [ ] Second item
+        * [x] Third item
+        * [ ] Fourth item
+        * [~] Inapplicable item
 
         <!-- a comment
         - [ ] Item in comment, ignore
@@ -35,12 +36,16 @@
 
     let(:expected_result) do
       [
-        TaskList::Item.new('- [ ]', 'First item'),
-        TaskList::Item.new('- [x]', 'Second item'),
-        TaskList::Item.new('* [x]', 'First item'),
-        TaskList::Item.new('* [ ]', 'Second item'),
-        TaskList::Item.new('1. [ ]', 'Numbered 1'),
-        TaskList::Item.new('2) [x]', 'Numbered 2')
+        Taskable::Item.new(false, 'First item', ' First item'),
+        Taskable::Item.new(true, 'Second item', ' Second item'),
+        Taskable::Item.new(true, 'Third item', ' Third item'),
+        Taskable::Item.new(false, 'Fourth item', ' Fourth item'),
+        Taskable::Item.new(false, 'No-break space (U+00A0)', ' No-break space (U+00A0)'),
+        Taskable::Item.new(false, 'Figure space (U+2007)', ' Figure space (U+2007)'),
+        Taskable::Item.new(false, 'Narrow no-break space (U+202F)', ' Narrow no-break space (U+202F)'),
+        Taskable::Item.new(false, 'Thin space (U+2009)', ' Thin space (U+2009)'),
+        Taskable::Item.new(false, 'Numbered 1', ' Numbered 1'),
+        Taskable::Item.new(true, 'Numbered 2', ' Numbered 2')
       ]
     end
 
@@ -59,12 +64,63 @@
         MARKDOWN
       end
 
-      let(:expected_result) { [TaskList::Item.new('- [ ]', 'only task item')] }
+      let(:expected_result) { [Taskable::Item.new(false, 'only task item', ' only task item')] }
 
       it { is_expected.to match(expected_result) }
     end
   end
 
+  describe '.get_updated_tasks' do
+    subject(:updated_tasks) { described_class.get_updated_tasks(old_content:, new_content:) }
+
+    let(:old_content) do
+      <<~MARKDOWN
+        Hello, world.
+
+        - [x] Do this.
+        - [ ] And that.
+      MARKDOWN
+    end
+
+    shared_examples_for 'get_updated_tasks' do |expected|
+      it "reports #{expected.length} changed task(s)" do
+        expect(updated_tasks).to eq(expected)
+      end
+    end
+
+    context 'when no tasks have changed' do
+      # The body content changes here, but the tasks haven't changed.
+      let(:new_content) do
+        <<~MARKDOWN
+          Hi, world!
+
+          - [x] Do this.
+          - [ ] And that.
+        MARKDOWN
+      end
+
+      it_behaves_like 'get_updated_tasks', []
+    end
+
+    context 'when tasks have changed status, and one has changed text' do
+      let(:new_content) do
+        <<~MARKDOWN
+          Hello, world.
+
+          - [x] Do the other.
+          - [x] And that.
+        MARKDOWN
+      end
+
+      # We don't report on tasks being added, removed, or 'edited' --- only
+      # when an existing task's completed status is changed without other modifications.
+      # If the task's index is changed, we won't recognise it.
+      # Ideally the frontend only sends single task updates at a time, so we mostly
+      # don't deal with that situation.
+      it_behaves_like 'get_updated_tasks', [Taskable::Item.new(true, 'And that.', ' And that.')]
+    end
+  end
+
   describe '#task_list_items' do
     where(issuable_type: [:issue, :merge_request])
 
diff --git a/spec/services/system_notes/issuables_service_spec.rb b/spec/services/system_notes/issuables_service_spec.rb
index 34e1c77f2f7bc6..eff3036442bdf5 100644
--- a/spec/services/system_notes/issuables_service_spec.rb
+++ b/spec/services/system_notes/issuables_service_spec.rb
@@ -624,7 +624,7 @@ def build_note(added_count, removed_count)
 
   describe '#change_task_status' do
     let(:noteable) { create(:issue, project: project) }
-    let(:task)     { double(:task, complete?: true, source: 'task') }
+    let(:task)     { double(:task, complete?: true, text: 'task', source: ' task') }
 
     subject { service.change_task_status(task) }
 
@@ -635,6 +635,32 @@ def build_note(added_count, removed_count)
     it "posts the 'marked the checklist item as complete' system note" do
       expect(subject.note).to eq("marked the checklist item **task** as completed")
     end
+
+    context 'when task contains formatting' do
+      let(:markdown_before) { '- [ ] task with **Markdown**' }
+      let(:markdown_after) { '- [x] task with **Markdown**' }
+
+      let(:task) do
+        Taskable.get_updated_tasks(old_content: markdown_before, new_content: markdown_after).first
+      end
+
+      it 'does not leak Markdown into the system note' do
+        expect(subject.note).to eq("marked the checklist item **task with Markdown** as completed")
+      end
+    end
+
+    context 'when task contains partial formatting' do
+      let(:markdown_before) { '- [ ] task with** Markdown' }
+      let(:markdown_after) { '- [x] task with** Markdown' }
+
+      let(:task) do
+        Taskable.get_updated_tasks(old_content: markdown_before, new_content: markdown_after).first
+      end
+
+      it 'does not leak Markdown into the system note' do
+        expect(subject.note).to eq("marked the checklist item **task with\\*\\* Markdown** as completed")
+      end
+    end
   end
 
   describe '#noteable_moved' do
-- 
GitLab


From cabc6f30b541cd274054ce544adc9711e4a3350f Mon Sep 17 00:00:00 2001
From: Asherah Connor <aconnor@gitlab.com>
Date: Wed, 3 Dec 2025 14:36:45 +1100
Subject: [PATCH 2/4] Fix specs which don't match their assertions

As written, these documents had an indented codeblock for their second
line, which we're now parsing correctly.
---
 .../api/task_completion_status_spec.rb        | 26 +++++++++++++------
 1 file changed, 18 insertions(+), 8 deletions(-)

diff --git a/spec/requests/api/task_completion_status_spec.rb b/spec/requests/api/task_completion_status_spec.rb
index 0e0b6c04c0d03b..9cff028eadfcf9 100644
--- a/spec/requests/api/task_completion_status_spec.rb
+++ b/spec/requests/api/task_completion_status_spec.rb
@@ -21,30 +21,40 @@
         expected_completed_count: 0
       },
       {
-        description: %(- [ ] task 1
-        - [x] task 2 ),
+        description: <<~MARKDOWN,
+          - [ ] task 1
+          - [x] task 2
+        MARKDOWN
         expected_count: 2,
         expected_completed_count: 1
       },
       {
-        description: %(- [ ] task 1
-        - [ ] task 2 ),
+        description: <<~MARKDOWN,
+          - [ ] task 1
+          - [ ] task 2
+        MARKDOWN
         expected_count: 2,
         expected_completed_count: 0
       },
       {
-        description: %(- [x] task 1
-        - [x] task 2 ),
+        description: <<~MARKDOWN,
+          - [x] task 1
+          - [x] task 2
+        MARKDOWN
         expected_count: 2,
         expected_completed_count: 2
       },
       {
-        description: %(- [ ] task 1),
+        description: <<~MARKDOWN,
+          - [ ] task 1
+        MARKDOWN
         expected_count: 1,
         expected_completed_count: 0
       },
       {
-        description: %(- [x] task 1),
+        description: <<~MARKDOWN,
+          - [x] task
+        MARKDOWN
         expected_count: 1,
         expected_completed_count: 1
       }
-- 
GitLab


From 23e14f020ead6d6ef8754d9e0ab987f01c71aef8 Mon Sep 17 00:00:00 2001
From: Asherah Connor <aconnor@gitlab.com>
Date: Wed, 3 Dec 2025 14:36:45 +1100
Subject: [PATCH 3/4] Handle empty US-ASCII string input in GLFMMarkdown

---
 .../filter/markdown_engines/glfm_markdown.rb   | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/lib/banzai/filter/markdown_engines/glfm_markdown.rb b/lib/banzai/filter/markdown_engines/glfm_markdown.rb
index 77a6cfdd01ec67..9757b6c189e6b7 100644
--- a/lib/banzai/filter/markdown_engines/glfm_markdown.rb
+++ b/lib/banzai/filter/markdown_engines/glfm_markdown.rb
@@ -55,6 +55,24 @@ class GlfmMarkdown < Base
         }.freeze
 
         def render(text)
+          # GLFMMarkdown requires UTF-8 input, and raises on anything else,
+          # like US-ASCII.  Occasionally we can get an empty US-ASCII `text`
+          # here, due to the following surprising result:
+          #
+          # [7] pry(main)> "".encoding
+          # => #<Encoding:UTF-8>
+          # [8] pry(main)> [].join
+          # => ""
+          # [9] pry(main)> [].join.encoding
+          # => #<Encoding:US-ASCII>
+          #
+          # See related discussion with further links:
+          # https://github.com/gjtorikian/commonmarker/issues/277.
+          #
+          # Obviate the need for checking anything encoding-related by shortcutting
+          # when given an empty input.
+          return "" if text.empty?
+
           ::GLFMMarkdown.to_html(text, options: render_options)
         end
 
-- 
GitLab


From bdcba65d76eceb200610b7a73aac5c15130f866b Mon Sep 17 00:00:00 2001
From: Asherah Connor <aconnor@gitlab.com>
Date: Mon, 8 Dec 2025 13:59:02 +1100
Subject: [PATCH 4/4] Address undercoverage

This is a littly cheeky but it works.
---
 app/models/concerns/taskable.rb       | 4 ----
 lib/banzai/filter/task_list_filter.rb | 4 ++--
 spec/models/concerns/taskable_spec.rb | 1 +
 3 files changed, 3 insertions(+), 6 deletions(-)

diff --git a/app/models/concerns/taskable.rb b/app/models/concerns/taskable.rb
index 76ec7512726d84..3e26663c25de39 100644
--- a/app/models/concerns/taskable.rb
+++ b/app/models/concerns/taskable.rb
@@ -71,10 +71,6 @@ def complete_task_list_item_count
     task_list_items.count(&:complete?)
   end
 
-  def incomplete_task_list_item_count
-    task_list_items.count { |i| !i.complete? }
-  end
-
   # Return true if this object's description has any task list items.
   def tasks?
     task_list_items.any?
diff --git a/lib/banzai/filter/task_list_filter.rb b/lib/banzai/filter/task_list_filter.rb
index 4dc8ff43993bd0..6881f02473950f 100644
--- a/lib/banzai/filter/task_list_filter.rb
+++ b/lib/banzai/filter/task_list_filter.rb
@@ -16,7 +16,7 @@ class TaskListFilter < HTML::Pipeline::Filter
       def call
         doc.xpath(XPATH).each do |node|
           text_content = self.class.text_for_task_item_from_input(node)
-          truncated_text_content = text_content.strip.truncate(100, separator: ' ', omission: '…')
+          truncated_text_content = text_content.truncate(100, separator: ' ', omission: '…')
           node['aria-label'] = format(_('Check option: %{option}'), option: truncated_text_content)
 
           node.add_previous_sibling(node.document.create_element('task-button'))
@@ -55,7 +55,7 @@ def text_for_task_item_from_input(input)
           yield_next_siblings_until(input, %w[ol ul]) do |el|
             text_content << el.text
           end
-          text_content
+          text_content.strip
         end
 
         # Gets the HTML corresponding to the task list item text, given the <input> checkbox that declares it.
diff --git a/spec/models/concerns/taskable_spec.rb b/spec/models/concerns/taskable_spec.rb
index c855186be4ded5..675d04dff3fd26 100644
--- a/spec/models/concerns/taskable_spec.rb
+++ b/spec/models/concerns/taskable_spec.rb
@@ -96,6 +96,7 @@
 
           - [x] Do this.
           - [ ] And that.
+          - [ ]
         MARKDOWN
       end
 
-- 
GitLab