-
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathhtml-esc.test.js
More file actions
71 lines (68 loc) · 2.47 KB
/
html-esc.test.js
File metadata and controls
71 lines (68 loc) · 2.47 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
import { test } from "node:test";
import { html } from "./html-esc.js";
test("html - example", (t) => {
const message = "<strong>strong but will get escaped</strong>";
t.assert.strictEqual(
html`<div>I'm ${message}</div>`.valueOf(),
`<div>I'm <strong>strong but will get escaped</strong></div>`,
);
});
test("html - noop when no interpolations", (t) => {
t.assert.strictEqual(
html`<div><h2>Hello World</h2></div>`.valueOf(),
`<div><h2>Hello World</h2></div>`,
);
});
test("html - escapes interpolated strings", (t) => {
t.assert.strictEqual(
html`<div>${"<div>not html tagged</div>"}</div>`.valueOf(),
`<div><div>not html tagged</div></div>`,
);
});
test("html - doesn't escape interpolated nested tagged literals with no interpolations", (t) => {
t.assert.equal(
html`<div>${html`<div>html-tagged</div>`}</div>`.valueOf(),
`<div>${html`<div>html-tagged</div>`}</div>`,
);
});
test("html - supports interpolation of lists of untagged items", (t) => {
t.assert.strictEqual(
html`<div>${["<i>hello</i>", "value"]}</div>`.valueOf(),
"<div><i>hello</i>value</div>",
);
});
test("html - supports interpolation of lists of tagged items", (t) => {
t.assert.strictEqual(
html`<ul>
${[html`<li><strong>hello</strong></li>`, html`<li>value</li>`]}
</ul>`.valueOf(),
`<ul>
<li><strong>hello</strong></li><li>value</li>
</ul>`,
);
});
test("html - doesn't break on bad payloads", (t) => {
const badPayload = `"><script>console.log('123')</script>`;
t.assert.strictEqual(
html`<div>${badPayload}</div>`.valueOf(),
`<div>"><script>console.log('123')</script></div>`,
);
t.assert.strictEqual(
html`<div>${html`<strong>${badPayload}</strong>`}</div>`.valueOf(),
`<div><strong>"><script>console.log('123')</script></strong></div>`,
);
});
// Following tests are from https://github.com/developit/vhtml/blob/96fe21e63a983d7a8f52d8c51a0c994490313abc/test/vhtml.js
test("html - sanitizes attribute interpolations", (t) => {
t.assert.strictEqual(
html`<div data-attr="${`&<>"'`}"></div>`.valueOf(),
`<div data-attr="&<>"'"></div>`,
);
});
test("html - sanitizes dynamic children", (t) => {
t.assert.strictEqual(
html`${`<strong>blocked</strong>`}`.valueOf(),
`<strong>blocked</strong>`,
);
t.assert.strictEqual(html`<em>allowed</em>`.valueOf(), `<em>allowed</em>`);
});