/** @jest-environment jsdom */

require('../sanitizer.js');

describe('htmlSanitizer', () => {
  it('escape() encodes special HTML chars', () => {
    const { escape } = window.htmlSanitizer;
    expect(escape('<div>')).toBe('&lt;div&gt;');
    expect(escape('Tom & Jerry')).toBe('Tom &amp; Jerry');
    expect(escape('"quotes" and \'apostrophes\'')).toContain('&quot;');
  });

  it('sanitize() returns safe HTML and does not double-escape plain text', () => {
    const { sanitize, escape } = window.htmlSanitizer;
    const dirty = '<img src=x onerror=alert(1)><p>Hello</p>';
    const clean = sanitize(dirty);
    expect(clean).toContain('<img');
    expect(clean).toContain('<p>Hello</p>');
    expect(clean).not.toMatch(/onerror/i);

    const text = '<b>bold</b>';
    const escaped = escape(text);
    const sanitizedEscaped = sanitize(escaped);
    expect(sanitizedEscaped).toBe(escaped);
  });

  it('setSafeHTML sets sanitized HTML on the element', () => {
    const el = document.createElement('div');
    const dirty = '<img src=x onerror=alert(1)><p>Hello</p>';
    window.setSafeHTML(el, dirty);
    expect(el.innerHTML).toContain('<img');
    expect(el.innerHTML).toContain('<p>Hello</p>');
    expect(el.innerHTML).not.toMatch(/onerror/i);
  });

  it('setSafeHTML uses DOMPurify when it becomes available after first call', () => {
    // Ensure not present initially
    delete window.DOMPurify;

    const el = document.createElement('div');
    const html = '<em>hello</em>';

    // First call: fallback sanitizer (no DOMPurify)
    window.setSafeHTML(el, html);

    // Now make DOMPurify available
    const mockPurify = { sanitize: jest.fn((h) => `CLEAN:${h}`) };
    window.DOMPurify = mockPurify;

    // Second call should use DOMPurify
    window.setSafeHTML(el, html);

    expect(mockPurify.sanitize).toHaveBeenCalledTimes(1);
    expect(el.innerHTML).toBe(`CLEAN:${html}`);
  });
});