diff --git a/server/routes/widgets.js b/server/routes/widgets.js
index b3f6d9d..c16751a 100644
--- a/server/routes/widgets.js
+++ b/server/routes/widgets.js
@@ -65,6 +65,21 @@ function safeUrl(url) {
} catch { return 'about:blank'; }
}
+// Security: widget render output is public and CSP-exempt, so config values that
+// get inlined into ' });
+ const html = await render('clock1');
+ assert.ok(!html.includes('', max_items: '10);evil(' , background: CSS_BREAKOUT });
+ const html = await render('rss1');
+ assert.ok(!html.includes('', css: 'body{}' });
+ const html = await render('text1');
+ assert.ok(html.includes('