Fix markdown-to-storage rendering on Confluence Cloud (#75)

* Fix markdown-to-storage rendering issues on Confluence Cloud

- Use smart links (data-card-appearance="inline") for Cloud instances
  instead of ac:link/ri:url which Cloud no longer renders. Server/DC
  instances continue using the ac:link format.

- Decode HTML entities (" & < >) inside code blocks
  before wrapping in CDATA, so code renders with literal characters
  instead of escaped entities.

- Trim trailing newline that markdown-it appends to code block content,
  which caused an extra blank line in rendered Confluence code macros.

- Remove global HTML entity decode (< > &) that was stripping
  angle-bracket placeholders (e.g. <tenant>) from inline text. Code
  blocks now handle their own entity decoding before CDATA insertion.

* Add CDATA injection defense and fix entity decode order

- Escape ]]> in code block content to prevent premature CDATA
  termination when user code contains XML/CDATA snippets
- Move &amp; decode last to avoid double-decoding entities
- Add test for CDATA terminator escaping in code blocks

Addresses review feedback from pchuri on PR #75.

* Remove duplicate isCloud() method introduced by rebase

The rebase onto main (v1.27.3) introduced a duplicate isCloud() at line
95. The upstream version at line 86 is preferred as it also handles
scoped tokens via isScopedToken(). Removes the duplicate to fix the
ESLint no-dupe-class-members error.

---------

Co-authored-by: Eric Schoeller <schoelle@colorado.edu>

Author: eschoeller

lib/confluence-client.js

@@ -1073,10 +1073,11 @@ class ConfluenceClient {
       // so they appear as literal characters in the CDATA output
       const decodedCode = code.replace(/\n$/, '')
         .replace(/"/g, '"')
-        .replace(/&/g, '&')
         .replace(/&lt;/g, '<')
-        .replace(/&gt;/g, '>');
-      return `<ac:structured-macro ac:name="code"><ac:parameter ac:name="language">${language}</ac:parameter><ac:plain-text-body><![CDATA[${decodedCode}]]></ac:plain-text-body></ac:structured-macro>`;
+        .replace(/&gt;/g, '>')
+        .replace(/&amp;/g, '&');   // & last to avoid double-decoding
+      const safeCode = decodedCode.replace(/]]>/g, ']]]]><![CDATA[>');
+      return `<ac:structured-macro ac:name="code"><ac:parameter ac:name="language">${language}</ac:parameter><ac:plain-text-body><![CDATA[${safeCode}]]></ac:plain-text-body></ac:structured-macro>`;
     });
 
     // Convert inline code

tests/confluence-client.test.js

@@ -327,6 +327,16 @@ describe('ConfluenceClient', () => {
       expect(result).toContain('<td><p>Cell 1</p></td>');
     });
 
+    test('should escape CDATA terminators in code blocks', () => {
+      const markdown = '```xml\n<![CDATA[some data]]>\n```';
+      const result = client.markdownToStorage(markdown);
+
+      expect(result).toContain('<![CDATA[');
+      expect(result).toContain(']]]]><![CDATA[>');
+      // The literal ]]> from user code should not appear unescaped
+      expect(result).not.toContain('some data]]>');
+    });
+
     test('should convert links to smart link format on Cloud instances', () => {
       const markdown = '[Example Link](https://example.com)';
       const result = client.markdownToStorage(markdown);