|
| 1 | +import { sanitizeHtmlForTrustedBypass } from './sanitize-html-for-trusted-bypass' |
| 2 | + |
| 3 | +describe('sanitizeHtmlForTrustedBypass', () => { |
| 4 | + it('strips script tags and their content', () => { |
| 5 | + const html = 'Hello <script>alert(1)</script> world' |
| 6 | + expect(sanitizeHtmlForTrustedBypass(html)).toBe('Hello world') |
| 7 | + }) |
| 8 | + |
| 9 | + it('strips script tags with attributes', () => { |
| 10 | + const html = 'Foo <script type="text/javascript">evil()</script> bar' |
| 11 | + expect(sanitizeHtmlForTrustedBypass(html)).toBe('Foo bar') |
| 12 | + }) |
| 13 | + |
| 14 | + it('strips style tags and their content', () => { |
| 15 | + const html = 'Text <style>.x { color: red }</style> more' |
| 16 | + expect(sanitizeHtmlForTrustedBypass(html)).toBe('Text more') |
| 17 | + }) |
| 18 | + |
| 19 | + it('strips img tags (e.g. img with onerror)', () => { |
| 20 | + const html = `test <img src=x onerror=alert('malicious-code')>` |
| 21 | + expect(sanitizeHtmlForTrustedBypass(html)).toBe('test ') |
| 22 | + }) |
| 23 | + |
| 24 | + it('strips event-handler attributes from any tag', () => { |
| 25 | + const html = '<span onclick="alert(1)">click</span>' |
| 26 | + expect(sanitizeHtmlForTrustedBypass(html)).toBe('<span>click</span>') |
| 27 | + }) |
| 28 | + |
| 29 | + it('leaves safe markup intact', () => { |
| 30 | + const html = '<span class="highlight">safe</span>' |
| 31 | + expect(sanitizeHtmlForTrustedBypass(html)).toBe(html) |
| 32 | + }) |
| 33 | + |
| 34 | + it('returns empty string for non-string input', () => { |
| 35 | + expect(sanitizeHtmlForTrustedBypass(null as any)).toBe('') |
| 36 | + expect(sanitizeHtmlForTrustedBypass(undefined as any)).toBe('') |
| 37 | + }) |
| 38 | +}) |
0 commit comments