novalon-website/src/lib/sanitize.test.ts

import { sanitizeHTML, sanitizeInput, sanitizeURL, escapeHTML } from './sanitize';

describe('sanitize', () => {
  describe('sanitizeHTML', () => {
    it('should allow safe HTML tags', () => {
      const result = sanitizeHTML('<p>Hello <b>world</b></p>');
      expect(result).toContain('<p>');
      expect(result).toContain('<b>');
    });

    it('should remove dangerous tags', () => {
      const result = sanitizeHTML('<script>alert("xss")</script><p>safe</p>');
      expect(result).not.toContain('<script>');
      expect(result).toContain('<p>');
    });

    it('should remove dangerous attributes', () => {
      const result = sanitizeHTML('<a href="#" onclick="alert(1)">link</a>');
      expect(result).not.toContain('onclick');
    });

    it('should handle empty input', () => {
      expect(sanitizeHTML('')).toBe('');
    });
  });

  describe('sanitizeInput', () => {
    it('should remove all HTML tags', () => {
      const result = sanitizeInput('<p>Hello <b>world</b></p>');
      expect(result).not.toContain('<p>');
      expect(result).not.toContain('<b>');
      expect(result).toContain('Hello');
      expect(result).toContain('world');
    });

    it('should handle special characters', () => {
      const result = sanitizeInput('<script>alert("xss")</script>');
      expect(result).not.toContain('<script>');
    });
  });

  describe('sanitizeURL', () => {
    it('should allow valid http URLs', () => {
      expect(sanitizeURL('http://example.com')).toBe('http://example.com');
    });

    it('should allow valid https URLs', () => {
      expect(sanitizeURL('https://example.com')).toBe('https://example.com');
    });

    it('should allow mailto URLs', () => {
      expect(sanitizeURL('mailto:test@example.com')).toBe('mailto:test@example.com');
    });

    it('should reject javascript URLs', () => {
      expect(sanitizeURL('javascript:alert(1)')).toBe('');
    });

    it('should reject data URLs', () => {
      expect(sanitizeURL('data:text/html,<script>alert(1)</script>')).toBe('');
    });
  });

  describe('escapeHTML', () => {
    it('should escape HTML special characters', () => {
      expect(escapeHTML('<div>')).toBe('&lt;div&gt;');
      expect(escapeHTML('&')).toBe('&amp;');
      expect(escapeHTML('"')).toBe('&quot;');
      expect(escapeHTML("'")).toBe('&#x27;');
    });

    it('should handle mixed content', () => {
      expect(escapeHTML('<script>alert("test")</script>')).toBe('&lt;script&gt;alert(&quot;test&quot;)&lt;&#x2F;script&gt;');
    });

    it('should handle empty string', () => {
      expect(escapeHTML('')).toBe('');
    });
  });
});