UltiSuite/ultisuite-backend
UltiSuite/ultisuite-backend
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
f97988b51f
ultisuite-backend/internal/mail/sanitize/sanitize_test.go
R3D347HR4Y cd0a80f5e8 huhu
2026-05-25 13:52:27 +02:00

77 lines
2.6 KiB
Go
Raw Blame History

package sanitize
import (
"strings"
"testing"
)
func TestSanitizeHTML_stripsScriptTags(t *testing.T) {
in := `<p>Hello</p><script>alert("xss")</script><b>World</b>`
got := SanitizeHTML(in)
if strings.Contains(got, "script") {
t.Fatalf("expected script removed, got %q", got)
}
if !strings.Contains(got, "Hello") || !strings.Contains(got, "World") {
t.Fatalf("expected safe content preserved, got %q", got)
}
}
func TestSanitizeHTML_stripsJavascriptURLs(t *testing.T) {
in := `<a href="javascript:alert(1)">click</a><img src="javascript:alert(2)" alt="x">`
got := SanitizeHTML(in)
if strings.Contains(strings.ToLower(got), "javascript:") {
t.Fatalf("expected javascript: URLs removed, got %q", got)
}
}
func TestSanitizeHTML_preservesSafeContent(t *testing.T) {
in := `<p>Hi</p><a href="https://example.com">link</a><img src="https://example.com/a.png" alt="pic">`
got := SanitizeHTML(in)
if !strings.Contains(got, `href="https://example.com"`) {
t.Fatalf("expected safe link preserved, got %q", got)
}
if !strings.Contains(got, `src="https://example.com/a.png"`) {
t.Fatalf("expected safe image preserved, got %q", got)
}
}
func TestSanitizeHTML_preservesEmailStyles(t *testing.T) {
in := `<style type="text/css">.title{font-family:Arial,sans-serif;color:#c00;}</style>` +
`<table width="600"><tr><td class="title" style="font-size:16px;">Promo</td></tr></table>`
got := SanitizeHTML(in)
if !strings.Contains(got, "font-family:Arial") {
t.Fatalf("expected style block preserved, got %q", got)
}
if !strings.Contains(got, `class="title"`) {
t.Fatalf("expected class preserved, got %q", got)
}
if !strings.Contains(got, `style="font-size:16px`) {
t.Fatalf("expected inline style preserved, got %q", got)
}
}
func TestSanitizeHTML_stripsJavascriptInCSS(t *testing.T) {
in := `<style>.x{background:url(javascript:alert(1))}</style><p class="x">Y</p>`
got := SanitizeHTML(in)
if strings.Contains(strings.ToLower(got), "javascript:") {
t.Fatalf("expected javascript css url stripped, got %q", got)
}
if !strings.Contains(got, `<p class="x">Y</p>`) {
t.Fatalf("expected content preserved, got %q", got)
}
}
func TestSanitizeHTML_preservesStylesheetLink(t *testing.T) {
in := `<link rel="stylesheet" href="https://cdn.example.com/campaign.css"><p>Hi</p>`
got := SanitizeHTML(in)
if !strings.Contains(got, `href="https://cdn.example.com/campaign.css"`) {
t.Fatalf("expected stylesheet link preserved, got %q", got)
}
}
func TestSanitizeHTML_empty(t *testing.T) {
if got := SanitizeHTML(""); got != "" {
t.Fatalf("expected empty string, got %q", got)
}
}
Reference in New Issue View Git Blame Copy Permalink