1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980 |
- import { DefaultAllowlist, sanitizeHtml } from '../../../src/util/sanitizer'
- describe('Sanitizer', () => {
- describe('sanitizeHtml', () => {
- it('should return the same on empty string', () => {
- const empty = ''
- const result = sanitizeHtml(empty, DefaultAllowlist, null)
- expect(result).toEqual(empty)
- })
- it('should sanitize template by removing tags with XSS', () => {
- const template = [
- '<div>',
- ' <a href="javascript:alert(7)">Click me</a>',
- ' <span>Some content</span>',
- '</div>'
- ].join('')
- const result = sanitizeHtml(template, DefaultAllowlist, null)
- expect(result).not.toContain('href="javascript:alert(7)')
- })
- it('should allow aria attributes and safe attributes', () => {
- const template = [
- '<div aria-pressed="true">',
- ' <span class="test">Some content</span>',
- '</div>'
- ].join('')
- const result = sanitizeHtml(template, DefaultAllowlist, null)
- expect(result).toContain('aria-pressed')
- expect(result).toContain('class="test"')
- })
- it('should remove tags not in allowlist', () => {
- const template = [
- '<div>',
- ' <script>alert(7)</script>',
- '</div>'
- ].join('')
- const result = sanitizeHtml(template, DefaultAllowlist, null)
- expect(result).not.toContain('<script>')
- })
- it('should not use native api to sanitize if a custom function passed', () => {
- const template = [
- '<div>',
- ' <span>Some content</span>',
- '</div>'
- ].join('')
- function mySanitize(htmlUnsafe) {
- return htmlUnsafe
- }
- spyOn(DOMParser.prototype, 'parseFromString')
- const result = sanitizeHtml(template, DefaultAllowlist, mySanitize)
- expect(result).toEqual(template)
- expect(DOMParser.prototype.parseFromString).not.toHaveBeenCalled()
- })
- it('should allow multiple sanitation passes of the same template', () => {
- const template = '<img src="test.jpg">'
- const firstResult = sanitizeHtml(template, DefaultAllowlist, null)
- const secondResult = sanitizeHtml(template, DefaultAllowlist, null)
- expect(firstResult).toContain('src')
- expect(secondResult).toContain('src')
- })
- })
- })
|