30 lines
1.1 KiB
JavaScript
30 lines
1.1 KiB
JavaScript
import { describe, it, expect } from 'vitest';
|
|
import { sanitizeSvg } from '../../lib/icons/sanitize.js';
|
|
|
|
describe('sanitizeSvg', () => {
|
|
it('strips <script> tags', () => {
|
|
const out = sanitizeSvg('<svg><script>alert(1)</script><path d="M0 0"/></svg>');
|
|
expect(out).not.toMatch(/script/i);
|
|
expect(out).toMatch(/<path/);
|
|
});
|
|
it('strips on* event handlers', () => {
|
|
const out = sanitizeSvg('<svg onload="x()"><rect onclick="y()"/></svg>');
|
|
expect(out).not.toMatch(/onload|onclick/i);
|
|
});
|
|
it('strips unquoted on* handlers', () => {
|
|
const out = sanitizeSvg('<svg onload=alert(1)><rect onclick=go()/></svg>');
|
|
expect(out).not.toMatch(/onload|onclick/i);
|
|
});
|
|
it('neutralizes javascript: hrefs', () => {
|
|
const out = sanitizeSvg('<svg><a href="javascript:alert(1)">x</a></svg>');
|
|
expect(out).not.toMatch(/javascript:/i);
|
|
});
|
|
it('drops <foreignObject>', () => {
|
|
const out = sanitizeSvg('<svg><foreignObject><body>x</body></foreignObject></svg>');
|
|
expect(out).not.toMatch(/foreignObject/i);
|
|
});
|
|
it('accepts a Buffer', () => {
|
|
expect(sanitizeSvg(Buffer.from('<svg><path/></svg>'))).toMatch(/<svg/);
|
|
});
|
|
});
|