48 lines
1.6 KiB
TypeScript
48 lines
1.6 KiB
TypeScript
import { describe, expect, it } from 'vitest';
|
|
import { safeHtml } from './sanitize';
|
|
|
|
describe('safeHtml', () => {
|
|
it('returns empty string for null/undefined/empty input', () => {
|
|
expect(safeHtml(null)).toBe('');
|
|
expect(safeHtml(undefined)).toBe('');
|
|
expect(safeHtml('')).toBe('');
|
|
});
|
|
|
|
it('keeps allowed tags: p, strong, em, br, h2, h3, ul, ol, li', () => {
|
|
const html =
|
|
'<p><strong>bold</strong> <em>italic</em><br>x</p>' +
|
|
'<h2>H2</h2><h3>H3</h3>' +
|
|
'<ul><li>a</li></ul><ol><li>b</li></ol>';
|
|
const result = safeHtml(html);
|
|
expect(result).toContain('<strong>bold</strong>');
|
|
expect(result).toContain('<em>italic</em>');
|
|
expect(result).toContain('<br>');
|
|
expect(result).toContain('<h2>H2</h2>');
|
|
expect(result).toContain('<h3>H3</h3>');
|
|
expect(result).toContain('<ul>');
|
|
expect(result).toContain('<ol>');
|
|
expect(result).toContain('<li>a</li>');
|
|
});
|
|
|
|
it('strips <script> tags entirely', () => {
|
|
const result = safeHtml('<p>ok</p><script>alert(1)</script>');
|
|
expect(result).not.toContain('<script>');
|
|
expect(result).not.toContain('alert');
|
|
expect(result).toContain('<p>ok</p>');
|
|
});
|
|
|
|
it('strips on* event-handler attributes', () => {
|
|
const result = safeHtml('<p onclick="evil()">x</p>');
|
|
expect(result).not.toContain('onclick');
|
|
});
|
|
|
|
it('strips disallowed elements like <img>, <a>, <iframe>', () => {
|
|
const result = safeHtml(
|
|
'<p>x</p><img src="x" onerror="alert(1)"><a href="javascript:alert(1)">link</a><iframe></iframe>'
|
|
);
|
|
expect(result).not.toContain('<img');
|
|
expect(result).not.toContain('<a ');
|
|
expect(result).not.toContain('<iframe');
|
|
});
|
|
});
|