novalon/novalon-website
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: 重构联系页面并增强安全性

Browse Source 
refactor: 优化导航和路由逻辑

fix: 修复移动端样式问题

perf: 优化字体加载和性能

test: 添加安全性和可访问性测试

style: 调整按钮和表单样式

chore: 更新依赖版本

ci: 添加安全头配置

build: 优化构建配置

docs: 更新常量信息
This commit is contained in:
张翔
2026-03-01 10:56:54 +08:00
parent 13c4a2ca49
commit 9cbc80742a
24 changed files with 1087 additions and 440 deletions
Download Patch File Download Diff File Expand all files Collapse all files
e2e/src/tests/accessibility/accessibility.spec.ts
+4 -2
View File
@@ -37,8 +37,9 @@ test.describe('可访问性测试 @accessibility', () => {
test('表单输入应该有label', async ({ page }) => {
await page.goto('http://localhost:3000/contact');
await page.waitForLoadState('networkidle');
const inputs = page.locator('input, textarea, select');
const inputs = page.locator('input:not([type="hidden"]), textarea, select');
const count = await inputs.count();
for (let i = 0; i < count; i++) {
@@ -101,8 +102,9 @@ test.describe('可访问性测试 @accessibility', () => {
test('焦点元素应该可见', async ({ page }) => {
await page.goto('http://localhost:3000');
await page.waitForLoadState('networkidle');
const focusableElements = page.locator('a[href], button, input, textarea, select, [tabindex]:not([tabindex="-1"])');
const focusableElements = page.locator('a[href]:visible, button:visible, input:visible, textarea:visible, select:visible, [tabindex]:not([tabindex="-1"]):visible');
const count = await focusableElements.count();
for (let i = 0; i < Math.min(count, 10); i++) {
e2e/src/tests/accessibility/wcag-compliance.spec.ts
+280
View File
@@ -0,0 +1,280 @@
import { test, expect } from '@playwright/test';
import AxeBuilder from '@axe-core/playwright';
test.describe('Accessibility Tests (WCAG 2.1 AA)', () => {
test('home page should not have accessibility violations', async ({ page }) => {
await page.goto('/');
await page.waitForLoadState('networkidle');
const accessibilityScanResults = await new AxeBuilder({ page })
.withTags(['wcag2a', 'wcag2aa', 'wcag21a', 'wcag21aa'])
.analyze();
expect(accessibilityScanResults.violations).toEqual([]);
});
test('contact page should not have accessibility violations', async ({ page }) => {
await page.goto('/contact');
await page.waitForLoadState('networkidle');
const accessibilityScanResults = await new AxeBuilder({ page })
.withTags(['wcag2a', 'wcag2aa', 'wcag21a', 'wcag21aa'])
.analyze();
expect(accessibilityScanResults.violations).toEqual([]);
});
test('all form inputs should have associated labels', async ({ page }) => {
await page.goto('/contact');
await page.waitForLoadState('networkidle');
const inputs = await page.locator('input:not([type="hidden"]), textarea, select').all();
for (const input of inputs) {
const id = await input.getAttribute('id');
const ariaLabel = await input.getAttribute('aria-label');
const ariaLabelledBy = await input.getAttribute('aria-labelledby');
if (id) {
const label = page.locator(`label[for="${id}"]`);
const hasLabel = await label.count() > 0;
expect(hasLabel || ariaLabel || ariaLabelledBy).toBeTruthy();
} else {
expect(ariaLabel || ariaLabelledBy).toBeTruthy();
}
}
});
test('all images should have alt text', async ({ page }) => {
await page.goto('/');
const images = await page.locator('img').all();
for (const img of images) {
const alt = await img.getAttribute('alt');
const role = await img.getAttribute('role');
expect(alt !== null || role === 'presentation').toBeTruthy();
}
});
test('all buttons should have accessible names', async ({ page }) => {
await page.goto('/');
const buttons = await page.locator('button').all();
for (const button of buttons) {
const text = await button.textContent();
const ariaLabel = await button.getAttribute('aria-label');
const ariaLabelledBy = await button.getAttribute('aria-labelledby');
expect(text?.trim() || ariaLabel || ariaLabelledBy).toBeTruthy();
}
});
test('all links should have discernible text', async ({ page }) => {
await page.goto('/');
await page.waitForLoadState('networkidle');
const links = await page.locator('a:visible').all();
expect(links.length).toBeGreaterThan(0);
let passedCount = 0;
for (const link of links) {
const text = await link.textContent();
const ariaLabel = await link.getAttribute('aria-label');
const title = await link.getAttribute('title');
if ((text && text.trim().length > 0) ||
(ariaLabel && ariaLabel.trim().length > 0) ||
(title && title.trim().length > 0)) {
passedCount++;
}
}
const passRate = links.length > 0 ? passedCount / links.length : 1;
expect(passRate).toBeGreaterThanOrEqual(0.95);
});
test('page should have proper heading hierarchy', async ({ page }) => {
await page.goto('/');
const h1Count = await page.locator('h1').count();
expect(h1Count).toBeGreaterThanOrEqual(1);
expect(h1Count).toBeLessThanOrEqual(2);
const headings = await page.locator('h1, h2, h3, h4, h5, h6').all();
let previousLevel = 0;
for (const heading of headings) {
const tagName = await heading.evaluate(el => el.tagName.toLowerCase());
const currentLevel = parseInt(tagName.replace('h', ''));
expect(currentLevel - previousLevel).toBeLessThanOrEqual(1);
previousLevel = currentLevel;
}
});
test('color contrast should meet WCAG AA standards', async ({ page }) => {
await page.goto('/');
const accessibilityScanResults = await new AxeBuilder({ page })
.withRules(['color-contrast'])
.analyze();
const contrastViolations = accessibilityScanResults.violations.filter(
v => v.id === 'color-contrast'
);
expect(contrastViolations).toEqual([]);
});
test('touch targets should be at least 44x44 pixels', async ({ page }) => {
await page.goto('/');
await page.setViewportSize({ width: 375, height: 667 });
await page.waitForLoadState('networkidle');
const buttons = await page.locator('button:visible, a:visible, input[type="button"]:visible, input[type="submit"]:visible').all();
expect(buttons.length).toBeGreaterThanOrEqual(0);
let passedCount = 0;
let totalCount = 0;
for (const button of buttons) {
try {
const box = await button.boundingBox();
if (box && box.width > 0 && box.height > 0) {
totalCount++;
if (box.width >= 44 && box.height >= 44) {
passedCount++;
}
}
} catch (e) {
continue;
}
}
if (totalCount > 0) {
const passRate = passedCount / totalCount;
expect(passRate).toBeGreaterThanOrEqual(0.7);
} else {
expect(true).toBeTruthy();
}
});
test('page should be fully navigable via keyboard', async ({ page }) => {
await page.goto('/');
const focusableElements = await page.locator(
'a[href], button, input, textarea, select, [tabindex]:not([tabindex="-1"])'
).all();
for (let i = 0; i < Math.min(focusableElements.length, 20); i++) {
await page.keyboard.press('Tab');
const focusedElement = page.locator(':focus');
const isVisible = await focusedElement.isVisible();
expect(isVisible).toBeTruthy();
}
});
test('focus order should be logical', async ({ page }) => {
await page.goto('/');
const focusOrder: string[] = [];
for (let i = 0; i < 20; i++) {
await page.keyboard.press('Tab');
const focusedElement = page.locator(':focus');
const tagName = await focusedElement.evaluate(el => el.tagName.toLowerCase());
const text = await focusedElement.textContent();
focusOrder.push(`${tagName}${text ? `: ${text.substring(0, 20)}` : ''}`);
}
expect(focusOrder.length).toBeGreaterThan(0);
});
test('skip link should be present', async ({ page }) => {
await page.goto('/');
const skipLink = page.locator('a[href="#main"], a[href="#content"], a:has-text("Skip"), a:has-text("跳过")');
const skipLinkCount = await skipLink.count();
expect(skipLinkCount).toBeGreaterThanOrEqual(0);
});
test('form error messages should be associated with inputs', async ({ page }) => {
await page.goto('/contact');
await page.waitForLoadState('networkidle');
await page.fill('input[id="email"]', 'invalid-email');
await page.locator('input[id="email"]').blur();
await page.waitForTimeout(500);
const errorMessages = await page.locator('[role="alert"], .error, .error-message, [data-error], p[id*="error"]').all();
if (errorMessages.length > 0) {
expect(errorMessages.length).toBeGreaterThan(0);
} else {
const emailInput = page.locator('input[id="email"]');
const ariaInvalid = await emailInput.getAttribute('aria-invalid');
expect(['true', 'false', null]).toContain(ariaInvalid);
}
});
test('modals should trap focus', async ({ page }) => {
await page.goto('/');
await page.setViewportSize({ width: 375, height: 667 });
await page.waitForLoadState('networkidle');
const mobileMenuButton = page.locator('button[aria-label*="菜单"], button[aria-label*="menu"], button[aria-label*="打开菜单"]');
const buttonCount = await mobileMenuButton.count();
if (buttonCount > 0) {
const button = mobileMenuButton.first();
const isVisible = await button.isVisible();
if (isVisible) {
await button.click();
await page.waitForTimeout(500);
for (let i = 0; i < 10; i++) {
await page.keyboard.press('Tab');
}
const focusedElement = page.locator(':focus');
const isInModal = await focusedElement.evaluate(el => {
let parent = el.parentElement;
while (parent) {
if (parent.getAttribute('role') === 'dialog' ||
parent.getAttribute('aria-modal') === 'true') {
return true;
}
parent = parent.parentElement;
}
return false;
});
expect(isInModal || await focusedElement.isVisible()).toBeTruthy();
}
}
});
test('pages should have descriptive titles', async ({ page }) => {
await page.goto('/');
const homeTitle = await page.title();
expect(homeTitle.length).toBeGreaterThan(0);
expect(homeTitle).not.toBe('Untitled');
await page.goto('/contact');
const contactTitle = await page.title();
expect(contactTitle.length).toBeGreaterThan(0);
expect(contactTitle).not.toBe('Untitled');
});
});
e2e/src/tests/security/csrf-protection.spec.ts
+108
View File
@@ -0,0 +1,108 @@
import { test, expect } from '@playwright/test';
test.describe('CSRF Protection Security Tests', () => {
test.beforeEach(async ({ page }) => {
await page.goto('/contact');
await page.waitForLoadState('networkidle');
});
test('should have CSRF token in contact form', async ({ page }) => {
const csrfToken = await page.locator('input[name="_csrf"]').inputValue();
expect(csrfToken).toBeTruthy();
expect(csrfToken.length).toBeGreaterThan(0);
});
test('should have unique CSRF token for each session', async ({ browser }) => {
const context1 = await browser.newContext();
const page1 = await context1.newPage();
await page1.goto('/contact');
await page1.waitForLoadState('networkidle');
const token1 = await page1.locator('input[name="_csrf"]').inputValue();
const context2 = await browser.newContext();
const page2 = await context2.newPage();
await page2.goto('/contact');
await page2.waitForLoadState('networkidle');
const token2 = await page2.locator('input[name="_csrf"]').inputValue();
expect(token1).not.toBe(token2);
await context1.close();
await context2.close();
});
test('should reject form submission without CSRF token', async ({ page }) => {
await page.evaluate(() => {
const csrfInput = document.querySelector('input[name="_csrf"]') as HTMLInputElement;
if (csrfInput) {
csrfInput.remove();
}
});
await page.fill('input[id="name"]', 'Test Name');
await page.fill('input[id="email"]', 'test@example.com');
await page.fill('input[id="phone"]', '13800138000');
await page.fill('input[id="subject"]', 'Test Subject');
await page.fill('textarea[id="message"]', 'Test message');
await page.click('button[type="submit"]');
await page.waitForTimeout(1000);
const successMessage = page.locator('text=/提交成功|发送成功/i');
await expect(successMessage).not.toBeVisible({ timeout: 2000 });
});
test('should reject form submission with invalid CSRF token', async ({ page }) => {
await page.evaluate(() => {
const csrfInput = document.querySelector('input[name="_csrf"]') as HTMLInputElement;
if (csrfInput) {
csrfInput.value = 'invalid-token-12345';
}
});
await page.fill('input[id="name"]', 'Test Name');
await page.fill('input[id="email"]', 'test@example.com');
await page.fill('input[id="phone"]', '13800138000');
await page.fill('input[id="subject"]', 'Test Subject');
await page.fill('textarea[id="message"]', 'Test message');
await page.click('button[type="submit"]');
await page.waitForTimeout(1000);
const successMessage = page.locator('text=/提交成功|发送成功/i');
await expect(successMessage).not.toBeVisible({ timeout: 2000 });
});
test('should regenerate CSRF token after form submission', async ({ page }) => {
const initialToken = await page.locator('input[name="_csrf"]').inputValue();
await page.fill('input[id="name"]', 'Test Name');
await page.fill('input[id="email"]', 'test@example.com');
await page.fill('input[id="phone"]', '13800138000');
await page.fill('input[id="subject"]', 'Test Subject');
await page.fill('textarea[id="message"]', 'Test message');
await page.click('button[type="submit"]');
await page.waitForTimeout(2000);
await page.goto('/contact');
await page.waitForLoadState('networkidle');
const newToken = await page.locator('input[name="_csrf"]').inputValue();
expect(newToken).not.toBe(initialToken);
});
test('should store CSRF token in sessionStorage', async ({ page }) => {
await page.waitForLoadState('networkidle');
const sessionStorage = await page.evaluate(() => {
return window.sessionStorage.getItem('csrf_token');
});
expect(sessionStorage).toBeTruthy();
});
});
e2e/src/tests/security/xss-protection.spec.ts
+93
View File
@@ -0,0 +1,93 @@
import { test, expect } from '@playwright/test';
test.describe('XSS Protection Security Tests', () => {
test.beforeEach(async ({ page }) => {
await page.goto('/contact');
await page.waitForLoadState('networkidle');
});
test('should sanitize script tags in contact form', async ({ page }) => {
const xssPayload = '<script>alert("XSS")</script>';
await page.fill('input[id="name"]', xssPayload);
await page.fill('input[id="email"]', 'test@example.com');
await page.fill('input[id="phone"]', '13800138000');
await page.fill('input[id="subject"]', 'Test Subject');
await page.fill('textarea[id="message"]', 'Test message');
const nameInput = page.locator('input[id="name"]');
const inputValue = await nameInput.inputValue();
expect(inputValue).not.toContain('<script>');
expect(inputValue).not.toContain('</script>');
const pageContent = await page.content();
expect(pageContent).not.toContain('<script>alert("XSS")</script>');
});
test('should sanitize event handlers in contact form', async ({ page }) => {
const xssPayload = '<img src=x onerror="alert(\'XSS\')">';
await page.fill('input[id="name"]', xssPayload);
await page.fill('input[id="email"]', 'test@example.com');
await page.fill('input[id="phone"]', '13800138000');
await page.fill('input[id="subject"]', 'Test Subject');
await page.fill('textarea[id="message"]', 'Test message');
const nameInput = page.locator('input[id="name"]');
const inputValue = await nameInput.inputValue();
expect(inputValue).not.toContain('onerror');
expect(inputValue).not.toContain('alert');
});
test('should sanitize javascript protocol in contact form', async ({ page }) => {
const xssPayload = 'javascript:alert("XSS")';
await page.fill('input[id="name"]', 'Test Name');
await page.fill('input[id="email"]', 'test@example.com');
await page.fill('input[id="phone"]', '13800138000');
await page.fill('input[id="subject"]', xssPayload);
await page.fill('textarea[id="message"]', 'Test message');
const subjectInput = page.locator('input[id="subject"]');
const inputValue = await subjectInput.inputValue();
expect(inputValue.trim().length).toBeGreaterThan(0);
});
test('should sanitize HTML entities in contact form', async ({ page }) => {
const htmlPayload = '<div onclick="alert(1)">Click me</div>';
await page.fill('input[id="name"]', htmlPayload);
await page.fill('input[id="email"]', 'test@example.com');
await page.fill('input[id="phone"]', '13800138000');
await page.fill('input[id="subject"]', 'Test Subject');
await page.fill('textarea[id="message"]', 'Test message');
const nameInput = page.locator('input[id="name"]');
const inputValue = await nameInput.inputValue();
expect(inputValue).not.toContain('onclick');
expect(inputValue).not.toContain('alert(1)');
});
test('should handle special characters safely', async ({ page }) => {
const specialChars = '<>&"\'';
await page.fill('input[id="name"]', specialChars);
await page.fill('input[id="email"]', 'test@example.com');
await page.fill('input[id="phone"]', '13800138000');
await page.fill('input[id="subject"]', 'Test Subject');
await page.fill('textarea[id="message"]', 'Test message');
const nameInput = page.locator('input[id="name"]');
const inputValue = await nameInput.inputValue();
expect(inputValue.trim().length).toBeGreaterThan(0);
});
test('should not execute XSS via URL parameters', async ({ page }) => {
const xssUrl = '/contact?name=<script>alert("XSS")</script>';
await page.goto(xssUrl);
await page.waitForLoadState('networkidle');
const pageContent = await page.content();
expect(pageContent).not.toContain('<script>alert("XSS")</script>');
});
});