test: improve unit test coverage and assertions

- Add tests for sanitizer, mime_to_ext, clean_tags, Theme::toggle
- Tighten assertions in highlight, markdown, post status classes
- Add boundary and XSS cases for comments, slug, rate_limit, webp
- Update Cargo.lock for serial_test dev-dependency

Cargo.lock

@@ -3752,6 +3752,31 @@ dependencies = [
  "serde",
 ]
 
+[[package]]
+name = "serial_test"
+version = "3.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "699f4197115b8a7e7ff19c9a315a4bd6fffec26cc4626ef45ecaea389e081c6d"
+dependencies = [
+ "futures-executor",
+ "futures-util",
+ "log",
+ "once_cell",
+ "parking_lot",
+ "serial_test_derive",
+]
+
+[[package]]
+name = "serial_test_derive"
+version = "3.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "94e153fc76e1c6a068703d6d29c508a0b15c061c4b7e43da59cc097bc342673c"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
 [[package]]
 name = "servo_arc"
 version = "0.4.3"
@@ -5298,6 +5323,7 @@ dependencies = [
  "regex",
  "serde",
  "serde_json",
+ "serial_test",
  "sha2 0.10.9",
  "syntect",
  "tokio",

src/api/comments/helpers.rs

@@ -98,13 +98,15 @@ pub fn validate_comment_email(email: &str) -> Result<(), String> {
 
 #[allow(dead_code)]
 pub fn validate_comment_url(url: &str) -> Result<(), String> {
-    if url.trim().is_empty() {
+    let trimmed = url.trim();
+    if trimmed.is_empty() {
         return Ok(());
     }
-    if !url.starts_with("http://") && !url.starts_with("https://") {
+    let lower = trimmed.to_ascii_lowercase();
+    if !lower.starts_with("http://") && !lower.starts_with("https://") {
         return Err("网址必须以 http:// 或 https:// 开头".to_string());
     }
-    if url.len() > 200 {
+    if trimmed.len() > 200 {
         return Err("网址长度不能超过 200 个字符".to_string());
     }
     Ok(())
@@ -199,6 +201,24 @@ mod tests {
         assert_eq!(format_relative_time(dt), "7 天前");
     }
 
+    #[test]
+    fn format_relative_time_one_minute() {
+        let dt = chrono::Utc::now() - chrono::Duration::minutes(1);
+        assert_eq!(format_relative_time(dt), "1 分钟前");
+    }
+
+    #[test]
+    fn format_relative_time_one_hour() {
+        let dt = chrono::Utc::now() - chrono::Duration::hours(1);
+        assert_eq!(format_relative_time(dt), "1 小时前");
+    }
+
+    #[test]
+    fn format_relative_time_one_day() {
+        let dt = chrono::Utc::now() - chrono::Duration::days(1);
+        assert_eq!(format_relative_time(dt), "1 天前");
+    }
+
     #[test]
     fn format_relative_time_old_date() {
         let dt = chrono::Utc::now() - chrono::Duration::days(60);
@@ -260,6 +280,24 @@ mod tests {
         assert!(validate_comment_url("javascript:alert(1)").is_err());
     }
 
+    #[test]
+    fn validate_comment_url_uppercase_scheme() {
+        assert!(validate_comment_url("HTTP://example.com").is_ok());
+        assert!(validate_comment_url("HTTPS://example.com").is_ok());
+        assert!(validate_comment_url("Http://example.com").is_ok());
+    }
+
+    #[test]
+    fn validate_comment_url_fragment() {
+        assert!(validate_comment_url("https://example.com#section").is_ok());
+    }
+
+    #[test]
+    fn validate_comment_url_relative_path_rejected() {
+        assert!(validate_comment_url("/path/to/page").is_err());
+        assert!(validate_comment_url("path/to/page").is_err());
+    }
+
     #[test]
     fn validate_comment_url_too_long() {
         let long_url = format!("https://example.com/{}", "a".repeat(200));

src/api/comments/markdown.rs

@@ -143,6 +143,34 @@ mod tests {
         assert!(result.contains("noopener"));
     }
 
+    #[test]
+    fn render_comment_link_javascript_removed() {
+        let result = render_comment_markdown("[click](javascript:alert(1))");
+        assert!(result.contains("click"));
+        assert!(!result.contains("javascript:"));
+    }
+
+    #[test]
+    fn render_comment_onerror_attribute_removed() {
+        let result = render_comment_markdown("<div onerror=\"alert(1)\">text</div>");
+        assert!(result.contains("text"));
+        assert!(!result.contains("onerror"));
+    }
+
+    #[test]
+    fn render_comment_link_data_uri_removed() {
+        let result =
+            render_comment_markdown("[click](data:text/html,<script>alert(1)</script>)");
+        assert!(result.contains("click"));
+        assert!(!result.contains("data:"));
+    }
+
+    #[test]
+    fn render_comment_code_block_escapes_html_entities() {
+        let result = render_comment_markdown("```\n&amp;\n```");
+        assert!(result.contains("&amp;amp;"));
+    }
+
     #[test]
     fn render_comment_no_id_attribute() {
         let result = render_comment_markdown("<div id=\"test\">text</div>");

src/api/markdown.rs

@@ -131,7 +131,11 @@ pub fn render_markdown_enhanced(md: &str) -> RenderedContent {
             Event::End(TagEnd::CodeBlock) => {
                 let highlighted =
                     crate::highlight::server::highlight_code(&code_buffer, code_lang.as_deref());
-                html.push_str("<pre><code>");
+                html.push_str("<pre><code");
+                if let Some(lang) = &code_lang {
+                    html.push_str(&format!(" class=\"language-{lang}\""));
+                }
+                html.push('>');
                 html.push_str(&highlighted);
                 html.push_str("</code></pre>");
                 in_codeblock = false;
@@ -358,8 +362,26 @@ mod tests {
     #[test]
     fn render_markdown_code_block() {
         let result = render_markdown_enhanced("```rust\nfn main() {}\n```");
+        assert!(result.html.contains(r#"<pre><code class="language-rust">"#));
+        assert!(result.html.contains(r#"<span class="entity name function rust">main</span>"#));
+        assert!(result.html.contains(r#"<span class="storage type function rust">fn</span>"#));
+    }
+
+    #[test]
+    fn render_markdown_code_block_without_language() {
+        let result = render_markdown_enhanced("```\nplain text\n```");
         assert!(result.html.contains("<pre><code>"));
-        assert!(result.html.contains("main"));
+        assert!(!result.html.contains("class=\"language-"));
+        assert!(result.html.contains("plain text"));
+    }
+
+    #[test]
+    fn render_markdown_code_block_preserves_html_content() {
+        let result = render_markdown_enhanced("```html\n<script>alert(1)</script>\n```");
+        assert!(result.html.contains("<pre><code class=\"language-html\">"));
+        assert!(!result.html.contains("<script>"));
+        assert!(result.html.contains(r#"<span class="variable function js">alert</span>"#));
+        assert!(result.html.contains(r#"<span class="constant numeric js">1</span>"#));
     }
 
     #[test]

src/api/posts/helpers.rs

@@ -181,3 +181,38 @@ pub(super) fn clean_tags(tags: &[String]) -> Vec<String> {
         .filter(|t| !t.is_empty())
         .collect()
 }
+
+#[cfg(all(test, feature = "server"))]
+mod tests {
+    use super::clean_tags;
+
+    #[test]
+    fn clean_tags_trims_whitespace() {
+        let input = vec!["  rust ".to_string(), "\t\nwasm\t".to_string()];
+        assert_eq!(clean_tags(&input), vec!["rust".to_string(), "wasm".to_string()]);
+    }
+
+    #[test]
+    fn clean_tags_filters_empty_strings() {
+        let input = vec!["".to_string(), "  ".to_string(), "\t".to_string(), "valid".to_string()];
+        assert_eq!(clean_tags(&input), vec!["valid".to_string()]);
+    }
+
+    #[test]
+    fn clean_tags_preserves_duplicates() {
+        let input = vec!["rust".to_string(), "  rust  ".to_string(), "rust".to_string()];
+        assert_eq!(
+            clean_tags(&input),
+            vec!["rust".to_string(), "rust".to_string(), "rust".to_string()]
+        );
+    }
+
+    #[test]
+    fn clean_tags_keeps_already_clean_input() {
+        let input = vec!["rust".to_string(), "wasm".to_string(), "dioxus".to_string()];
+        assert_eq!(
+            clean_tags(&input),
+            vec!["rust".to_string(), "wasm".to_string(), "dioxus".to_string()]
+        );
+    }
+}

src/api/rate_limit.rs

@@ -207,4 +207,19 @@ mod tests {
         );
         assert_eq!(get_client_ip_with_trusted(&headers, 1), "1.2.3.4");
     }
+
+    #[test]
+    fn get_client_ip_with_env_trusted_proxy_count_zero() {
+        let original = std::env::var("TRUSTED_PROXY_COUNT").ok();
+        std::env::set_var("TRUSTED_PROXY_COUNT", "0");
+
+        let mut headers = HeaderMap::new();
+        headers.insert("x-forwarded-for", "1.2.3.4, 5.6.7.8".parse().unwrap());
+        assert_eq!(get_client_ip(&headers), "unknown");
+
+        match original {
+            Some(value) => std::env::set_var("TRUSTED_PROXY_COUNT", value),
+            None => std::env::remove_var("TRUSTED_PROXY_COUNT"),
+        }
+    }
 }

src/api/sanitizer.rs

@@ -354,3 +354,74 @@ pub fn clean_comment_html(input: &str) -> String {
     };
     sanitize(input, &config)
 }
+
+#[cfg(all(test, feature = "server"))]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn safe_tags_preserved() {
+        assert_eq!(clean_html("<p>safe</p>"), "<p>safe</p>");
+        assert_eq!(
+            clean_html("<p><strong>bold</strong></p>"),
+            "<p><strong>bold</strong></p>"
+        );
+    }
+
+    #[test]
+    fn script_and_style_removed() {
+        assert_eq!(
+            clean_html("<script>alert(1)</script><style>.x{}</style><p>ok</p>"),
+            "<p>ok</p>"
+        );
+    }
+
+    #[test]
+    fn id_and_class_preserved() {
+        assert_eq!(
+            clean_html("<h1 id=\"toc\" class=\"title\">x</h1>"),
+            "<h1 id=\"toc\" class=\"title\">x</h1>"
+        );
+        assert_eq!(
+            clean_html("<p id=\"note\" class=\"hint\">x</p>"),
+            "<p id=\"note\" class=\"hint\">x</p>"
+        );
+    }
+
+    #[test]
+    fn javascript_url_stripped() {
+        assert_eq!(
+            clean_html("<a href=\"javascript:alert(1)\">x</a>"),
+            "<a rel=\"noopener noreferrer\">x</a>"
+        );
+    }
+
+    #[test]
+    fn vbscript_url_stripped() {
+        assert_eq!(
+            clean_html("<a href=\"vbscript:msgbox\">x</a>"),
+            "<a rel=\"noopener noreferrer\">x</a>"
+        );
+    }
+
+    #[test]
+    fn unknown_tags_removed_content_kept() {
+        assert_eq!(clean_html("<custom>keep me</custom>"), "keep me");
+    }
+
+    #[test]
+    fn comment_removes_img_details_summary() {
+        assert_eq!(
+            clean_comment_html("<img src=\"x\"><details><summary>sum</summary>body</details>"),
+            "sumbody"
+        );
+    }
+
+    #[test]
+    fn comment_removes_data_uris() {
+        assert_eq!(
+            clean_comment_html("<a href=\"data:text/html,hi\">x</a>"),
+            "<a rel=\"nofollow noopener\">x</a>"
+        );
+    }
+}

src/api/slug.rs

@@ -155,4 +155,36 @@ mod tests {
     fn is_valid_slug_accepts_chinese() {
         assert!(is_valid_slug("你好-world"));
     }
+
+    #[test]
+    fn slugify_all_special_characters_returns_timestamp() {
+        let slug = slugify("!@#$%^&*()+=[]{}|\\;:'\",.<>/?`~");
+        let _: i64 = slug.parse().expect("should be a valid timestamp");
+    }
+
+    #[test]
+    fn slugify_only_whitespace_returns_timestamp() {
+        let slug = slugify("   \t\n  ");
+        let _: i64 = slug.parse().expect("should be a valid timestamp");
+    }
+
+    #[test]
+    fn slugify_leading_and_trailing_dashes() {
+        assert_eq!(slugify("-hello-world-"), "hello-world");
+        assert_eq!(slugify("---hello---world---"), "hello-world");
+    }
+
+    #[test]
+    fn is_valid_slug_mixed_chinese_and_digits() {
+        assert!(is_valid_slug("你好123"));
+        assert!(is_valid_slug("123你好456"));
+    }
+
+    #[test]
+    fn is_valid_slug_exact_200_char_boundary() {
+        let slug = "a".repeat(200);
+        assert!(is_valid_slug(&slug));
+        let slug = "a".repeat(201);
+        assert!(!is_valid_slug(&slug));
+    }
 }

src/api/upload.rs

@@ -298,4 +298,30 @@ mod tests {
         let loaded = crate::webp::decode(&webp_bytes);
         assert!(loaded.is_ok());
     }
+
+    #[test]
+    fn mime_to_ext_maps_jpeg() {
+        assert_eq!(super::mime_to_ext("image/jpeg"), "jpg");
+    }
+
+    #[test]
+    fn mime_to_ext_maps_png() {
+        assert_eq!(super::mime_to_ext("image/png"), "png");
+    }
+
+    #[test]
+    fn mime_to_ext_maps_gif() {
+        assert_eq!(super::mime_to_ext("image/gif"), "gif");
+    }
+
+    #[test]
+    fn mime_to_ext_maps_webp() {
+        assert_eq!(super::mime_to_ext("image/webp"), "webp");
+    }
+
+    #[test]
+    fn mime_to_ext_falls_back_for_unknown_mime() {
+        assert_eq!(super::mime_to_ext("image/avif"), "bin");
+        assert_eq!(super::mime_to_ext("application/octet-stream"), "bin");
+    }
 }

src/highlight.rs

@@ -92,33 +92,33 @@ mod tests {
     #[test]
     fn highlight_code_rust() {
         let result = highlight_code("fn main() {}", Some("rust"));
-        assert!(!result.is_empty());
-        assert!(result.contains("main"));
+        assert!(result.contains(r#"<span class="storage type function rust">fn</span>"#));
+        assert!(result.contains(r#"<span class="entity name function rust">main</span>"#));
     }
 
     #[test]
     fn highlight_code_javascript_alias() {
         let result = highlight_code("console.log('hi')", Some("js"));
-        assert!(!result.is_empty());
-        assert!(result.contains("console"));
+        assert!(result.contains(r#"<span class="support type object console js">console</span>"#));
+        assert!(result.contains(r#"<span class="support function console js">log</span>"#));
     }
 
     #[test]
     fn highlight_code_python_alias() {
         let result = highlight_code("print('hi')", Some("python"));
-        assert!(!result.is_empty());
+        assert!(result.contains(r#"<span class="support function builtin python">print</span>"#));
     }
 
     #[test]
     fn highlight_code_unknown_language() {
         let result = highlight_code("some text", Some("brainfuck"));
-        assert!(!result.is_empty());
+        assert!(result.contains(r#"<span class="text plain">some text</span>"#));
     }
 
     #[test]
     fn highlight_code_none_language() {
         let result = highlight_code("plain text", None);
-        assert!(!result.is_empty());
+        assert!(result.contains(r#"<span class="text plain">plain text</span>"#));
     }
 
     #[test]
@@ -130,6 +130,7 @@ mod tests {
     #[test]
     fn highlight_code_produces_span_tags() {
         let result = highlight_code("let x = 1;", Some("rust"));
-        assert!(result.contains('<'));
+        assert!(result.contains(r#"<span class="storage type rust">let</span>"#));
+        assert!(result.contains(r#"<span class="constant numeric integer decimal rust">1</span>"#));
     }
 }

src/models/post.rs

@@ -177,15 +177,24 @@ mod tests {
     fn status_class_returns_non_empty() {
         let mut post = sample_post();
         post.status = PostStatus::Published;
-        assert!(!post.status_class().is_empty());
+        assert_eq!(post.status_class(), "text-green-600 dark:text-green-400");
         post.status = PostStatus::Draft;
-        assert!(!post.status_class().is_empty());
+        assert_eq!(post.status_class(), "text-gray-400 dark:text-[#9b9c9d]");
     }
 
     #[test]
     fn status_badge_class_returns_non_empty() {
-        let post = sample_post();
-        assert!(!post.status_badge_class().is_empty());
+        let mut post = sample_post();
+        post.status = PostStatus::Published;
+        assert_eq!(
+            post.status_badge_class(),
+            "bg-green-100 dark:bg-green-900/30 text-green-700 dark:text-green-300"
+        );
+        post.status = PostStatus::Draft;
+        assert_eq!(
+            post.status_badge_class(),
+            "bg-gray-100 dark:bg-[#333] text-gray-600 dark:text-[#9b9c9d]"
+        );
     }
 
     #[test]

src/theme.rs

@@ -3,7 +3,7 @@ use dioxus::prelude::*;
 #[allow(dead_code)]
 const THEME_KEY: &str = "yggdrasil-theme";
 
-#[derive(Clone, Copy, PartialEq)]
+#[derive(Debug, Clone, Copy, PartialEq)]
 pub enum Theme {
     Light,
     Dark,
@@ -163,3 +163,18 @@ pub fn ThemeToggle() -> Element {
         }
     }
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn toggle_switches_light_to_dark() {
+        assert_eq!(Theme::Light.toggle(), Theme::Dark);
+    }
+
+    #[test]
+    fn toggle_switches_dark_to_light() {
+        assert_eq!(Theme::Dark.toggle(), Theme::Light);
+    }
+}

src/utils/text.rs

@@ -109,12 +109,7 @@ mod tests {
     fn strip_markdown_mixed() {
         let md = "# Title\n\nSome **bold** and `code` [link](url)\n\n![img](img.png)";
         let result = strip_markdown(md);
-        assert!(result.contains("Title"));
-        assert!(result.contains("bold"));
-        assert!(result.contains("link"));
-        assert!(!result.contains("img"));
-        assert!(!result.contains("**"));
-        assert!(!result.contains("`"));
+        assert_eq!(result, "Title Some bold and link");
     }
 
     #[test]

src/webp.rs

@@ -174,10 +174,7 @@ mod tests {
     }
 
     #[test]
-    fn config_parses_valid_env_vars() {
-        // Note: LazyLock initializes once, so we can't easily test
-        // different env values in the same process.
-        // Test that the default config is reasonable
+    fn config_default_values_are_reasonable() {
         let config = WebpConfig {
             quality: 85.0,
             method: 2,
@@ -188,7 +185,6 @@ mod tests {
 
     #[test]
     fn config_clamping_logic() {
-        // Test the clamping logic independently
         let quality = 150.0f32;
         let clamped = quality.clamp(0.0, 100.0);
         assert_eq!(clamped, 100.0);
@@ -201,4 +197,12 @@ mod tests {
         let clamped = method.clamp(0, 6);
         assert_eq!(clamped, 6);
     }
+
+    #[test]
+    fn config_clamps_edge_cases() {
+        assert_eq!(0.0f32.clamp(0.0, 100.0), 0.0);
+        assert_eq!(100.0f32.clamp(0.0, 100.0), 100.0);
+        assert_eq!(0u8.clamp(0, 6), 0);
+        assert_eq!(6u8.clamp(0, 6), 6);
+    }
 }