Jennie Robinson Faber
29c96a207e
Set up Vitest with server (node) and client (jsdom) test projects. 79 tests across 8 files verify all Phase 0-1 security controls: escapeHtml sanitization, DOMPurify markdown XSS prevention, CSRF enforcement, security headers, rate limiting, auth guards, profile field allowlist, and login anti-enumeration. Updated SECURITY_EVALUATION.md with remediation status, implementation summary, and automated test coverage details.
60 lines
1.7 KiB
JavaScript
60 lines
1.7 KiB
JavaScript
import { describe, it, expect } from 'vitest'
|
|
import { escapeHtml } from '../../../server/utils/escapeHtml.js'
|
|
|
|
describe('escapeHtml', () => {
|
|
it('escapes ampersands', () => {
|
|
expect(escapeHtml('a&b')).toBe('a&b')
|
|
})
|
|
|
|
it('escapes less-than signs', () => {
|
|
expect(escapeHtml('a<b')).toBe('a<b')
|
|
})
|
|
|
|
it('escapes greater-than signs', () => {
|
|
expect(escapeHtml('a>b')).toBe('a>b')
|
|
})
|
|
|
|
it('escapes double quotes', () => {
|
|
expect(escapeHtml('a"b')).toBe('a"b')
|
|
})
|
|
|
|
it('escapes single quotes', () => {
|
|
expect(escapeHtml("a'b")).toBe('a'b')
|
|
})
|
|
|
|
it('escapes all entities in a single string', () => {
|
|
expect(escapeHtml('<div class="x">&\'test\'')).toBe(
|
|
'<div class="x">&'test''
|
|
)
|
|
})
|
|
|
|
it('returns empty string for null', () => {
|
|
expect(escapeHtml(null)).toBe('')
|
|
})
|
|
|
|
it('returns empty string for undefined', () => {
|
|
expect(escapeHtml(undefined)).toBe('')
|
|
})
|
|
|
|
it('converts numbers to string', () => {
|
|
expect(escapeHtml(42)).toBe('42')
|
|
})
|
|
|
|
it('passes safe strings through unchanged', () => {
|
|
expect(escapeHtml('hello world')).toBe('hello world')
|
|
})
|
|
|
|
it('neutralizes script tag XSS payload', () => {
|
|
const payload = '<script>alert("xss")</script>'
|
|
const result = escapeHtml(payload)
|
|
expect(result).not.toContain('<script>')
|
|
expect(result).toBe('<script>alert("xss")</script>')
|
|
})
|
|
|
|
it('neutralizes img onerror XSS payload', () => {
|
|
const payload = '<img onerror="alert(1)" src=x>'
|
|
const result = escapeHtml(payload)
|
|
expect(result).not.toContain('<img')
|
|
expect(result).toBe('<img onerror="alert(1)" src=x>')
|
|
})
|
|
})
|