// @vitest-environment jsdom
import { describe, expect, it } from "vitest";
import { sanitizeFeedHtml } from "./sanitizeHtml";
describe("sanitizeFeedHtml", () => {
// Behaviour gate: the formatting real feeds use must survive untouched.
it("preserves entities, inline formatting and safe links", () => {
expect(sanitizeFeedHtml("Fruits & Vegetables")).toBe(
"Fruits & Vegetables",
);
expect(sanitizeFeedHtml("italic and bold")).toBe(
"italic and bold",
);
expect(sanitizeFeedHtml("Vol. 1 Ch. 5")).toBe(
"Vol. 1 Ch. 5",
);
expect(
sanitizeFeedHtml('link'),
).toContain('href="https://example.com/x"');
expect(sanitizeFeedHtml("line
break")).toContain(" {
expect(sanitizeFeedHtml(undefined)).toBe("");
expect(sanitizeFeedHtml(null)).toBe("");
expect(sanitizeFeedHtml("")).toBe("");
});
// The fix: scripts, handlers, dangerous tags and URLs must be removed.
it("strips scripts, event handlers and dangerous tags/urls", () => {
const script = sanitizeFeedHtml("safe");
expect(script).not.toContain("script");
expect(script).toContain("safe");
const onerror = sanitizeFeedHtml("before
after");
expect(onerror).not.toContain("onerror");
expect(onerror).not.toContain("x'),
).not.toContain("javascript:");
expect(
sanitizeFeedHtml(''),
).not.toContain("iframe");
expect(
sanitizeFeedHtml(
'',
),
).not.toContain("meta");
expect(sanitizeFeedHtml("")).not.toContain(
"style",
);
expect(sanitizeFeedHtml('text
')).toBe("text");
});
});