apps/web/lib/sanitize.test.ts


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93

import { describe, it, expect } from "vitest"
import { sanitizeEntryContent } from "./sanitize"

describe("sanitizeEntryContent", () => {
  it("allows safe html tags", () => {
    const input = "<p>hello <strong>world</strong></p>"
    expect(sanitizeEntryContent(input)).toBe(input)
  })

  it("strips script tags", () => {
    const input = '<p>safe</p><script>alert("xss")</script>'
    expect(sanitizeEntryContent(input)).toBe("<p>safe</p>")
  })

  it("strips event handlers", () => {
    const input = '<p onclick="alert(1)">click me</p>'
    expect(sanitizeEntryContent(input)).toBe("<p>click me</p>")
  })

  it("allows img tags with safe attributes", () => {
    const input = '<img src="https://example.com/img.jpg" alt="photo">'
    const result = sanitizeEntryContent(input)
    expect(result).toContain("src=")
    expect(result).toContain("alt=")
  })

  it("strips iframe tags", () => {
    const input = '<iframe src="https://evil.com"></iframe>'
    expect(sanitizeEntryContent(input)).toBe("")
  })

  it("strips javascript: urls from links", () => {
    const input = '<a href="javascript:alert(1)">click</a>'
    const result = sanitizeEntryContent(input)
    expect(result).not.toContain("javascript:")
  })

  it("allows https links", () => {
    const input = '<a href="https://example.com">link</a>'
    expect(sanitizeEntryContent(input)).toBe(input)
  })

  it("preserves code blocks", () => {
    const input = "<pre><code>const x = 1</code></pre>"
    expect(sanitizeEntryContent(input)).toBe(input)
  })

  it("strips 1x1 tracking pixel images", () => {
    const input = '<p>content</p><img src="https://tracker.example.com/pixel.gif" width="1" height="1">'
    expect(sanitizeEntryContent(input)).toBe("<p>content</p>")
  })

  it("strips images with zero dimensions", () => {
    const input = '<img src="https://tracker.example.com/pixel.gif" width="0" height="0">'
    expect(sanitizeEntryContent(input)).toBe("")
  })

  it("strips images where only width is a tracking dimension", () => {
    const input = '<img src="https://tracker.example.com/pixel.gif" width="1">'
    expect(sanitizeEntryContent(input)).toBe("")
  })

  it("strips images where only height is a tracking dimension", () => {
    const input = '<img src="https://tracker.example.com/pixel.gif" height="2">'
    expect(sanitizeEntryContent(input)).toBe("")
  })

  it("preserves normal-sized images", () => {
    const input = '<img src="https://example.com/photo.jpg" width="800" height="600">'
    const result = sanitizeEntryContent(input)
    expect(result).toContain("src=")
    expect(result).toContain("width=")
    expect(result).toContain("height=")
  })

  it("preserves images without dimension attributes", () => {
    const input = '<img src="https://example.com/photo.jpg" alt="a photo">'
    const result = sanitizeEntryContent(input)
    expect(result).toContain("src=")
    expect(result).toContain("alt=")
  })

  it("strips 3x3 tracking pixel at threshold boundary", () => {
    const input = '<img src="https://tracker.example.com/pixel.gif" width="3" height="3">'
    expect(sanitizeEntryContent(input)).toBe("")
  })

  it("preserves images just above tracking pixel threshold", () => {
    const input = '<img src="https://example.com/icon.png" width="4" height="4">'
    const result = sanitizeEntryContent(input)
    expect(result).toContain("src=")
  })
})