import { describe, expect, it } from 'vitest'; import { sanitizeBlocks, sanitizeUntrustedHtml } from './sanitize-blocks.server'; describe('sanitizeUntrustedHtml', () => { it('strips '); expect(out).not.toContain('script'); expect(out).toContain('ok'); }); it('strips on* event handlers', () => { const out = sanitizeUntrustedHtml('x'); expect(out).not.toContain('onclick'); }); it('strips javascript: URLs', () => { const out = sanitizeUntrustedHtml('x'); expect(out).not.toContain('javascript'); }); it('keeps allowed tags + attributes', () => { const out = sanitizeUntrustedHtml('

bold

'); expect(out).toContain('

'); expect(out).toContain('bold'); }); it('allows iframes only from approved hosts', () => { const ok = sanitizeUntrustedHtml(''); expect(ok).toContain('youtube.com'); const bad = sanitizeUntrustedHtml(''); expect(bad).not.toContain('evil'); }); it('adds rel=noopener on target=_blank', () => { const out = sanitizeUntrustedHtml('x'); expect(out).toContain('rel="noopener noreferrer"'); }); }); describe('sanitizeBlocks (walker)', () => { it('mutates html-block fields in place', () => { const tree = { row1Content: [ { _type: 'html', html: '

safe

' }, { _type: 'markdown', content: 'untouched' }, ], }; sanitizeBlocks(tree); expect(tree.row1Content[0].html).not.toContain('script'); expect(tree.row1Content[0].html).toContain('safe'); expect((tree.row1Content[1] as { content: string }).content).toBe('untouched'); }); it('walks nested arrays', () => { const tree = { sections: [ { items: [{ _type: 'html', html: '' }] }, ], }; sanitizeBlocks(tree); const html = (tree.sections[0].items[0] as { html: string }).html; expect(html).not.toContain('onerror'); }); it('handles non-object inputs gracefully', () => { expect(() => sanitizeBlocks(null)).not.toThrow(); expect(() => sanitizeBlocks('string')).not.toThrow(); expect(() => sanitizeBlocks([1, 2, 3])).not.toThrow(); }); });