import { DefaultAllowlist, sanitizeHtml } from '../../../src/util/sanitizer.js' describe('Sanitizer', () => { describe('sanitizeHtml', () => { it('should return the same on empty string', () => { const empty = '' const result = sanitizeHtml(empty, DefaultAllowlist, null) expect(result).toEqual(empty) }) it('should sanitize template by removing tags with XSS', () => { const template = [ '
', ' Click me', ' Some content', '
' ].join('') const result = sanitizeHtml(template, DefaultAllowlist, null) expect(result).not.toContain('href="javascript:alert(7)') }) it('should sanitize template and work with multiple regex', () => { const template = [ '
', ' Click me', ' Some content', '
' ].join('') const myDefaultAllowList = DefaultAllowlist // With the default allow list let result = sanitizeHtml(template, myDefaultAllowList, null) // `data-foo` won't be present expect(result).not.toContain('data-foo="bar"') // Add the following regex too myDefaultAllowList['*'].push(/^data-foo/) result = sanitizeHtml(template, myDefaultAllowList, null) expect(result).not.toContain('href="javascript:alert(7)') // This is in the default list expect(result).toContain('aria-label="This is a link"') // This is in the default list expect(result).toContain('data-foo="bar"') // We explicitly allow this }) it('should allow aria attributes and safe attributes', () => { const template = [ '
', ' Some content', '
' ].join('') const result = sanitizeHtml(template, DefaultAllowlist, null) expect(result).toContain('aria-pressed') expect(result).toContain('class="test"') }) it('should remove tags not in allowlist', () => { const template = [ '
', ' ', '
' ].join('') const result = sanitizeHtml(template, DefaultAllowlist, null) expect(result).not.toContain('