4eadb91a64
- Added rate limiting for outbound email sends to prevent abuse, implemented in `internal/api/mail/sendguard`. - Introduced idempotency key support for email sending to avoid duplicate submissions. - Enhanced attachment handling with new limits and validation in `internal/api/mail/limits`. - Updated outbox processing to include retry logic and circuit breaker for SMTP failures. - Improved HTML sanitization for email content to enhance security. - Added unit tests for new features, ensuring robust functionality and error handling. - Updated configuration options in `.env.example` for new mail settings.
43 lines
1.3 KiB
Go
43 lines
1.3 KiB
Go
package sanitize
|
|
|
|
import (
|
|
"strings"
|
|
"testing"
|
|
)
|
|
|
|
func TestSanitizeHTML_stripsScriptTags(t *testing.T) {
|
|
in := `<p>Hello</p><script>alert("xss")</script><b>World</b>`
|
|
got := SanitizeHTML(in)
|
|
if strings.Contains(got, "script") {
|
|
t.Fatalf("expected script removed, got %q", got)
|
|
}
|
|
if !strings.Contains(got, "Hello") || !strings.Contains(got, "World") {
|
|
t.Fatalf("expected safe content preserved, got %q", got)
|
|
}
|
|
}
|
|
|
|
func TestSanitizeHTML_stripsJavascriptURLs(t *testing.T) {
|
|
in := `<a href="javascript:alert(1)">click</a><img src="javascript:alert(2)" alt="x">`
|
|
got := SanitizeHTML(in)
|
|
if strings.Contains(strings.ToLower(got), "javascript:") {
|
|
t.Fatalf("expected javascript: URLs removed, got %q", got)
|
|
}
|
|
}
|
|
|
|
func TestSanitizeHTML_preservesSafeContent(t *testing.T) {
|
|
in := `<p>Hi</p><a href="https://example.com">link</a><img src="https://example.com/a.png" alt="pic">`
|
|
got := SanitizeHTML(in)
|
|
if !strings.Contains(got, `href="https://example.com"`) {
|
|
t.Fatalf("expected safe link preserved, got %q", got)
|
|
}
|
|
if !strings.Contains(got, `src="https://example.com/a.png"`) {
|
|
t.Fatalf("expected safe image preserved, got %q", got)
|
|
}
|
|
}
|
|
|
|
func TestSanitizeHTML_empty(t *testing.T) {
|
|
if got := SanitizeHTML(""); got != "" {
|
|
t.Fatalf("expected empty string, got %q", got)
|
|
}
|
|
}
|