src/lib/User/BadgeWall/badgeLinks.test.ts


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70

import { describe, expect, it } from "vitest";
import { classifyDesigner, classifySource } from "./badgeLinks";

describe("classifySource", () => {
	it("labels known hosts and keeps the original href", () => {
		expect(classifySource("https://www.pixiv.net/en/artworks/1")).toEqual({
			href: "https://www.pixiv.net/en/artworks/1",
			label: "Pixiv",
		});
		expect(classifySource("https://x.com/someone")).toEqual({
			href: "https://x.com/someone",
			label: "X (Twitter)",
		});
	});

	it("falls back to the raw url as label for unknown hosts", () => {
		expect(classifySource("https://example.com/art")).toEqual({
			href: "https://example.com/art",
			label: "https://example.com/art",
		});
	});

	it("rejects non-http(s) and malformed urls (href becomes null)", () => {
		expect(classifySource("javascript:alert(1)").href).toBeNull();
		expect(classifySource("data:text/html,<script>1</script>").href).toBeNull();
		expect(classifySource("not a url").href).toBeNull();
	});

	it("never produces a usable href for an html-injection payload", () => {
		const payload = 'http://x"><img src=x onerror=alert(document.cookie)>';
		const result = classifySource(payload);

		expect(result.href).toBeNull();
		expect(result.label).toBe(payload);
	});
});

describe("classifyDesigner", () => {
	it("extracts the username from an anilist profile url", () => {
		expect(classifyDesigner("https://anilist.co/user/fuwn/")).toEqual({
			href: "https://anilist.co/user/fuwn/",
			label: "fuwn",
		});
	});

	it("builds an anilist link from an @handle", () => {
		expect(classifyDesigner("@fuwn")).toEqual({
			href: "https://anilist.co/user/fuwn/",
			label: "fuwn",
		});
	});

	it("builds an anilist link from a bare name", () => {
		expect(classifyDesigner("fuwn")).toEqual({
			href: "https://anilist.co/user/fuwn/",
			label: "fuwn",
		});
	});

	it("forces an html-injection payload into the anilist path, never its own scheme/host", () => {
		const payload = '"><img src=x onerror=alert(document.cookie)>';
		const result = classifyDesigner(payload);

		expect(
			result.href === null ||
				result.href.startsWith("https://anilist.co/user/"),
		).toBe(true);
		expect(result.label).toBe(payload);
	});
});