-
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathtrusted-html.test.js
More file actions
40 lines (32 loc) · 1.5 KB
/
trusted-html.test.js
File metadata and controls
40 lines (32 loc) · 1.5 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
import assert from 'node:assert';
import { describe, test } from 'node:test';
import { html } from './trusted-html.js';
describe('Trusted HTML Policy (Node/Fallback Mode)', () => {
test('Tag Usage: escapes unsafe values', () => {
const unsafe = '<img src=x onerror=alert(1)>';
const result = html`<div>${unsafe}</div>`;
assert.strictEqual(result.toString(), '<div><img src=x onerror=alert(1)></div>');
});
test('Direct Usage: escapes input string', () => {
const result = html('<script>alert(1)</script>');
assert.strictEqual(result.toString(), '<script>alert(1)</script>');
});
test('Array Usage: joins and escapes list items', () => {
// Essential to ensure arrays are not stringified with commas
const items = ['<br>', '<b>bold</b>'];
const result = html`Items: ${items}`;
assert.strictEqual(result.toString(), 'Items: <br><b>bold</b>');
});
test('Security: enforces Double Escaping in fallback mode', () => {
/* * CRITICAL SECURITY CHECK:
* Since we are in Node (no TrustedTypes), the output of `html` is just a string.
* If we nest this string into another template, it MUST be escaped again.
* If it wasn't, we would be vulnerable to "fake trust".
*/
const inner = html`<span>Safe</span>`;
// inner is string: "<span>Safe</span>"
const outer = html`<div>${inner}</div>`;
// outer sees a string, so it escapes it: "<div><span>Safe</span></div>"
assert.strictEqual(outer.toString(), '<div><span>Safe</span></div>');
});
});