35 lines
1.4 KiB
TypeScript
35 lines
1.4 KiB
TypeScript
import { readFileSync } from "fs";
|
|
import { describe, expect, it } from "vitest";
|
|
|
|
describe("export HTML markdown link sanitization", () => {
|
|
const templateJs = readFileSync(new URL("../src/core/export-html/template.js", import.meta.url), "utf-8");
|
|
|
|
it("overrides the marked link renderer to block javascript: protocol", () => {
|
|
// The custom link renderer must check for dangerous protocols
|
|
expect(templateJs).toMatch(/link\s*\(\s*token\s*\)/);
|
|
expect(templateJs).toMatch(/javascript/i);
|
|
expect(templateJs).toMatch(/vbscript/i);
|
|
});
|
|
|
|
it("overrides the marked image renderer to block javascript: protocol", () => {
|
|
expect(templateJs).toMatch(/image\s*\(\s*token\s*\)/);
|
|
});
|
|
|
|
it("escapes href attributes in the custom link renderer", () => {
|
|
// The link renderer must escape href values to prevent attribute breakout
|
|
expect(templateJs).toMatch(/escapeHtml\(href\)/);
|
|
});
|
|
|
|
it("escapes image mimeType attributes", () => {
|
|
// Image mimeType must be escaped to prevent attribute breakout
|
|
expect(templateJs).not.toMatch(/\$\{img\.mimeType\}/);
|
|
expect(templateJs).toMatch(/escapeHtml\(img\.mimeType/);
|
|
});
|
|
|
|
it("escapes image data attributes", () => {
|
|
// Image data is embedded in src attributes and must not allow attribute breakout.
|
|
expect(templateJs).not.toMatch(/;base64,\$\{img\.data\}"/);
|
|
expect(templateJs).toMatch(/;base64,\$\{escapeHtml\(img\.data \|\| (?:''|"")\)\}"/);
|
|
});
|
|
});
|