1 files changed, 47 insertions, 0 deletions

diff --git a/apps/web/lib/sanitize.test.ts b/apps/web/lib/sanitize.test.ts
new file mode 100644
index 0000000..266b8af
--- /dev/null
+++ b/apps/web/lib/sanitize.test.ts
@@ -0,0 +1,47 @@
+import { describe, it, expect } from "vitest"
+import { sanitizeEntryContent } from "./sanitize"
+
+describe("sanitizeEntryContent", () => {
+  it("allows safe html tags", () => {
+    const input = "<p>hello <strong>world</strong></p>"
+    expect(sanitizeEntryContent(input)).toBe(input)
+  })
+
+  it("strips script tags", () => {
+    const input = '<p>safe</p><script>alert("xss")</script>'
+    expect(sanitizeEntryContent(input)).toBe("<p>safe</p>")
+  })
+
+  it("strips event handlers", () => {
+    const input = '<p onclick="alert(1)">click me</p>'
+    expect(sanitizeEntryContent(input)).toBe("<p>click me</p>")
+  })
+
+  it("allows img tags with safe attributes", () => {
+    const input = '<img src="https://example.com/img.jpg" alt="photo">'
+    const result = sanitizeEntryContent(input)
+    expect(result).toContain("src=")
+    expect(result).toContain("alt=")
+  })
+
+  it("strips iframe tags", () => {
+    const input = '<iframe src="https://evil.com"></iframe>'
+    expect(sanitizeEntryContent(input)).toBe("")
+  })
+
+  it("strips javascript: urls from links", () => {
+    const input = '<a href="javascript:alert(1)">click</a>'
+    const result = sanitizeEntryContent(input)
+    expect(result).not.toContain("javascript:")
+  })
+
+  it("allows https links", () => {
+    const input = '<a href="https://example.com">link</a>'
+    expect(sanitizeEntryContent(input)).toBe(input)
+  })
+
+  it("preserves code blocks", () => {
+    const input = "<pre><code>const x = 1</code></pre>"
+    expect(sanitizeEntryContent(input)).toBe(input)
+  })
+})