// @vitest-environment node
import { describe, expect, it } from "vitest";
import { sanitizeSvg } from "./sanitizeSvg";
describe("sanitizeSvg", () => {
it("strips `;
const clean = sanitizeSvg(dirty);
expect(clean).not.toContain("script");
expect(clean).toContain(" {
const dirty = ``;
const clean = sanitizeSvg(dirty);
expect(clean).not.toContain("foreignObject");
expect(clean).not.toContain("iframe");
expect(clean).toContain(" {
const dirty = ``;
const clean = sanitizeSvg(dirty);
expect(clean).not.toContain("onload");
expect(clean).not.toContain("onclick");
expect(clean).toContain('width="1"');
});
it("strips javascript: and external http(s) hrefs but keeps local fragments", () => {
const dirty = [
``,
].join("");
const clean = sanitizeSvg(dirty);
expect(clean).not.toContain("javascript:");
expect(clean).not.toContain("evil.example");
expect(clean).toContain('href="#localClip"');
});
it("keeps data:image hrefs (figma embeds rasters this way)", () => {
const dirty = ``;
expect(sanitizeSvg(dirty)).toContain("data:image/png;base64,AAAA");
});
it("leaves a typical clean figma export untouched apart from whitespace", () => {
const clean = ``;
expect(sanitizeSvg(clean)).toBe(clean);
});
});
describe("sanitizeSvg hardening", () => {
it("strips nested script/foreignObject without leaving inner content", () => {
const dirty = ``;
const clean = sanitizeSvg(dirty);
expect(clean).not.toContain("foreignObject");
expect(clean).not.toContain("iframe");
});
it("strips `);
expect(clean).not.toContain("style");
expect(clean).toContain(" {
expect(sanitizeSvg(``)).not.toContain("onclick");
});
it("drops non-image data: hrefs but keeps data:image and #fragments", () => {
const dirty = ``;
const clean = sanitizeSvg(dirty);
expect(clean).not.toContain("data:text/html");
expect(clean).toContain('href="#clip"');
expect(clean).toContain("data:image/png");
});
it("drops blob: and protocol-relative hrefs", () => {
const clean = sanitizeSvg(``);
expect(clean).not.toContain("blob:");
expect(clean).not.toContain("//evil");
});
});
describe("sanitizeSvg close-tag variants (js/bad-tag-filter)", () => {
it("strips scripts whose close tag carries whitespace or junk before >", () => {
const dirty = "";
const clean = sanitizeSvg(dirty);
expect(clean).not.toContain("script");
expect(clean).not.toContain("evil");
expect(clean).toContain(" {
const dirty = ``;
const clean = sanitizeSvg(dirty);
expect(clean).not.toContain("style");
expect(clean).not.toContain("foreignObject");
expect(clean).not.toContain("iframe");
});
});