59 lines
1.9 KiB
JavaScript
59 lines
1.9 KiB
JavaScript
/** @jest-environment jsdom */
|
|
|
|
const path = require('path');
|
|
// Load sanitizer utility first so alerts can delegate to it
|
|
require(path.join(__dirname, '..', 'sanitizer.js'));
|
|
// Load the alerts module (IIFE attaches itself to window)
|
|
require(path.join(__dirname, '..', 'alerts.js'));
|
|
|
|
describe('alerts._sanitize', () => {
|
|
const sanitize = window.alerts && window.alerts._sanitize;
|
|
|
|
it('should be a function', () => {
|
|
expect(typeof sanitize).toBe('function');
|
|
});
|
|
|
|
it('removes <script> tags and event-handler attributes', () => {
|
|
const dirty = '<img src="x" onerror="alert(1)"><script>alert("x")</script><p>Hello</p>';
|
|
const clean = sanitize(dirty);
|
|
expect(clean).toContain('<img src="x">');
|
|
expect(clean).toContain('<p>Hello</p>');
|
|
expect(clean).not.toMatch(/<script/i);
|
|
expect(clean).not.toMatch(/onerror/i);
|
|
});
|
|
|
|
it('uses DOMPurify after it is lazily loaded', async () => {
|
|
// Ensure DOMPurify is not present initially
|
|
delete window.DOMPurify;
|
|
|
|
const mockPurify = {
|
|
sanitize: jest.fn((html) => `CLEAN:${html}`)
|
|
};
|
|
|
|
// Spy on the shared sanitizer loader and inject DOMPurify once called
|
|
const loaderSpy = jest
|
|
.spyOn(window.htmlSanitizer, 'ensureDOMPurifyLoaded')
|
|
.mockImplementation(() => {
|
|
window.DOMPurify = mockPurify;
|
|
return Promise.resolve(mockPurify);
|
|
});
|
|
|
|
const dirty = '<span onclick="evil()">Hi</span>';
|
|
|
|
// First call: fallback sanitizer, DOMPurify not used yet
|
|
const first = sanitize(dirty);
|
|
expect(mockPurify.sanitize).not.toHaveBeenCalled();
|
|
expect(loaderSpy).toHaveBeenCalledTimes(1);
|
|
|
|
// Wait for loader promise to resolve
|
|
await loaderSpy.mock.results[0].value;
|
|
|
|
// Second call: should use DOMPurify
|
|
const second = sanitize(dirty);
|
|
expect(mockPurify.sanitize).toHaveBeenCalledTimes(1);
|
|
expect(second).toBe(`CLEAN:${dirty}`);
|
|
|
|
loaderSpy.mockRestore();
|
|
});
|
|
});
|