@heliosgraphics/utils 6.0.0-alpha.10

package/sanitize.spec.ts

@@ -0,0 +1,558 @@
+import { it, describe, expect } from "vitest"
+import { sanitizeText } from "./sanitize"
+
+describe("sanitize", () => {
+	describe("sanitizeText", () => {
+		const TEXT_1 = "a <b onClick=\"alert('hee hee')\">basic</b> tag"
+
+		it("removes an onclick tag", () => expect(sanitizeText(TEXT_1)).toEqual("a <b>basic</b> tag"))
+		it("returns empty for undefined", () => expect(sanitizeText(undefined)).toEqual(""))
+
+		// XSS Prevention Tests
+		it("removes script tags completely", () => {
+			const malicious = 'Hello <script>alert("XSS")</script> World'
+			expect(sanitizeText(malicious)).toEqual("Hello  World")
+		})
+
+		it("removes script tags with attributes", () => {
+			const malicious = 'Hello <script type="text/javascript">alert("XSS")</script> World'
+			expect(sanitizeText(malicious)).toEqual("Hello  World")
+		})
+
+		it("removes style tags", () => {
+			const malicious = "Hello <style>body{background:red}</style> World"
+			expect(sanitizeText(malicious)).toEqual("Hello  World")
+		})
+
+		it("removes all event handlers", () => {
+			const tests = [
+				{ input: '<div onclick="alert(1)">test</div>', expected: "<div>test</div>" },
+				{ input: '<img onload="alert(1)" src="x">', expected: "" },
+				{ input: '<body onpageshow="alert(1)">test</body>', expected: "test" },
+				{ input: '<div onmouseover="evil()">hover</div>', expected: "<div>hover</div>" },
+			]
+			tests.forEach(({ input, expected }) => {
+				expect(sanitizeText(input)).toEqual(expected)
+			})
+		})
+
+		it("removes javascript: URLs", () => {
+			const malicious = '<a href="javascript:alert(1)">click</a>'
+			expect(sanitizeText(malicious)).toEqual("click")
+		})
+
+		it("removes data: URLs", () => {
+			const malicious = '<img src="data:text/html,<script>alert(1)</script>">'
+			expect(sanitizeText(malicious)).toEqual("")
+		})
+
+		it("removes vbscript: URLs", () => {
+			const malicious = '<a href="vbscript:msgbox(1)">click</a>'
+			expect(sanitizeText(malicious)).toEqual("click")
+		})
+
+		// Advanced encoding bypass tests
+		it("handles Unicode escape sequences", () => {
+			const tests = [
+				{ input: "<script>\\u0061\\u006c\\u0065\\u0072\\u0074(1)</script>", expected: "" },
+				{ input: '<img src="\\x6a\\x61\\x76\\x61\\x73\\x63\\x72\\x69\\x70\\x74:alert(1)">', expected: "" },
+				{ input: "Hello\\u003cscript\\u003ealert(1)\\u003c/script\\u003e", expected: "Hello" },
+			]
+			tests.forEach(({ input, expected }) => {
+				expect(sanitizeText(input)).toEqual(expected)
+			})
+		})
+
+		it("handles URL encoding bypasses", () => {
+			const tests = [
+				{ input: '<img src="%6a%61%76%61%73%63%72%69%70%74:alert(1)">', expected: "" },
+				{
+					input:
+						'<a href="%25%36%61%25%36%31%25%37%36%25%36%31%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34:alert(1)">link</a>',
+					expected: "link",
+				},
+				{ input: "test%3cscript%3ealert(1)%3c/script%3e", expected: "test" },
+			]
+			tests.forEach(({ input, expected }) => {
+				expect(sanitizeText(input)).toEqual(expected)
+			})
+		})
+
+		it("handles CSS escape sequences", () => {
+			const tests = [
+				{
+					input: '<div style="\\6a \\61 \\76 \\61 \\73 \\63 \\72 \\69 \\70 \\74 :alert(1)">test</div>',
+					expected: "<div>test</div>",
+				},
+				{ input: "<style>\\41 {color:red}</style>", expected: "" },
+				{ input: "\\6a\\61\\76\\61\\73\\63\\72\\69\\70\\74:alert(1)", expected: ":(1)" },
+			]
+			tests.forEach(({ input, expected }) => {
+				expect(sanitizeText(input)).toEqual(expected)
+			})
+		})
+
+		it("handles zero-width and control characters", () => {
+			const tests = [
+				{ input: "<script>ale\u200Brt(1)</script>", expected: "" },
+				{ input: "test\u202Ascript\u202C", expected: "testscript" },
+				{ input: "hello\uFEFFworld", expected: "helloworld" },
+				{ input: "test\u0000\u0001\u0002control", expected: "testcontrol" },
+			]
+			tests.forEach(({ input, expected }) => {
+				expect(sanitizeText(input)).toEqual(expected)
+			})
+		})
+
+		it("handles Unicode normalization attacks", () => {
+			const tests = [
+				{ input: "<scri\u0070t>alert(1)</script>", expected: "" },
+				{ input: "java\u0073cript:alert(1)", expected: "(1)" },
+			]
+			tests.forEach(({ input, expected }) => {
+				expect(sanitizeText(input)).toEqual(expected)
+			})
+		})
+
+		it("handles advanced protocol bypasses", () => {
+			const tests = [
+				{ input: '<a href="java\u00A0script:alert(1)">link</a>', expected: "link" },
+				{ input: '<img src="javascript:/*comment*/alert(1)">', expected: "" },
+				{ input: '<a href="javascript://anything\nalert(1)">link</a>', expected: "link" },
+				{ input: '<img src="javascript\\:alert(1)">', expected: "" },
+				{ input: '<a href="j\ta\nv\ra\fscript:alert(1)">link</a>', expected: "link" },
+				{ input: '<img src="livescript:alert(1)">', expected: "" },
+				{ input: '<a href="mocha:alert(1)">link</a>', expected: "link" },
+			]
+			tests.forEach(({ input, expected }) => {
+				expect(sanitizeText(input)).toEqual(expected)
+			})
+		})
+
+		it("handles advanced dangerous function patterns", () => {
+			const tests = [
+				{ input: "setTimeout(alert, 1)", expected: "(, 1)" },
+				{ input: 'Function("alert(1)")()', expected: '("(1)")()' },
+				{ input: "globalThis.alert(1)", expected: "(1)" },
+				{ input: 'window["constructor"]', expected: "" },
+				{ input: "`${alert(1)}`", expected: "" },
+				{ input: "String.fromCharCode(97,108,101,114,116)", expected: "(97,108,101,114,116)" },
+				{ input: 'atob("YWxlcnQ=")', expected: '("YWxlcnQ=")' },
+				{ input: 'decodeURIComponent("%61%6c%65%72%74")', expected: '("%61%6c%65%72%74")' },
+			]
+			tests.forEach(({ input, expected }) => {
+				expect(sanitizeText(input)).toEqual(expected)
+			})
+		})
+
+		it("handles hex encoding with leading zeros", () => {
+			const tests = [
+				{ input: "&#x00000061;lert(1)", expected: "(1)" },
+				{ input: "&#0000097;lert(1)", expected: "(1)" },
+			]
+			tests.forEach(({ input, expected }) => {
+				expect(sanitizeText(input)).toEqual(expected)
+			})
+		})
+
+		it("handles additional HTML entities", () => {
+			const tests = [
+				{ input: "&lpar;alert&rpar;&semi;", expected: "();" },
+				{ input: "&colon;&sol;&sol;comment&NewLine;alert&lpar;1&rpar;", expected: "://comment\n(1)" },
+				{ input: "test&Tab;value&period;method&lpar;&rpar;", expected: "test\tvalue.method()" },
+			]
+			tests.forEach(({ input, expected }) => {
+				const result = sanitizeText(input)
+				// Since 'alert' gets stripped by the function, adjust expectations
+				if (input.includes("alert")) {
+					expect(result).toBe(expected.replace("alert", ""))
+				} else {
+					expect(result).toBe(expected)
+				}
+			})
+		})
+
+		it("removes dangerous tags completely", () => {
+			const dangerous = [
+				'<iframe src="javascript:alert(1)"></iframe>',
+				'<object data="data:text/html,<script>alert(1)</script>"></object>',
+				'<embed src="javascript:alert(1)">',
+				'<form><input type="submit" formaction="javascript:alert(1)"></form>',
+				'<video><source onerror="alert(1)"></video>',
+			]
+			dangerous.forEach((tag) => {
+				const result = sanitizeText(tag)
+				expect(result).not.toContain("<iframe")
+				expect(result).not.toContain("<object")
+				expect(result).not.toContain("<embed")
+				expect(result).not.toContain("<form")
+				expect(result).not.toContain("<video")
+				expect(result).not.toContain("<input")
+				expect(result).not.toContain("<source")
+			})
+		})
+
+		it("preserves safe HTML tags", () => {
+			const safe = "<p>Hello <b>bold</b> and <i>italic</i> and <em>emphasis</em></p>"
+			expect(sanitizeText(safe)).toEqual(safe)
+		})
+
+		it("preserves allowed attributes", () => {
+			const withAttrs = '<div class="safe" id="test" title="tooltip">content</div>'
+			expect(sanitizeText(withAttrs)).toEqual(withAttrs)
+		})
+
+		it("removes disallowed attributes", () => {
+			const withBadAttrs = '<div class="safe" onclick="alert(1)" data-bad="evil">content</div>'
+			expect(sanitizeText(withBadAttrs)).toEqual('<div class="safe">content</div>')
+		})
+
+		it("handles complex XSS attempts", () => {
+			const complex = `
+				<img src=x onerror=alert(1)>
+				<svg onload=alert(1)>
+				<details ontoggle=alert(1)>
+				<iframe srcdoc="<script>alert(1)</script>">
+				<object data="javascript:alert(1)">
+				<script>alert('XSS')</script>
+				<div style="background: url(javascript:alert(1))">
+			`
+			const result = sanitizeText(complex)
+			expect(result).not.toContain("alert")
+			expect(result).not.toContain("javascript")
+			expect(result).not.toContain("onerror")
+			expect(result).not.toContain("onload")
+			expect(result).not.toContain("<script")
+			expect(result).not.toContain("<iframe")
+			expect(result).not.toContain("<object")
+		})
+
+		it("handles edge cases safely", () => {
+			expect(sanitizeText("")).toEqual("")
+			expect(sanitizeText(null as unknown as string)).toEqual("")
+			expect(sanitizeText("   ")).toEqual("")
+			expect(sanitizeText("plain text")).toEqual("plain text")
+		})
+
+		// Advanced XSS Attack Vectors - Comprehensive Coverage
+		it("blocks HTML entity encoded attacks", () => {
+			const attacks = [
+				// HTML entity encoding
+				"<img src=x onerror=&#97;&#108;&#101;&#114;&#116;&#40;&#49;&#41;>",
+				'<div onclick="&#97;&#108;&#101;&#114;&#116;&#40;&#49;&#41;">click</div>',
+				// Hex encoding
+				"<img src=x onerror=&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;>",
+				// Mixed encoding
+				"<img src=x onerror=a&#108;ert(1)>",
+			]
+			attacks.forEach((attack) => {
+				const result = sanitizeText(attack)
+				expect(result).not.toContain("alert")
+				expect(result).not.toContain("onerror")
+				expect(result).not.toContain("&#")
+			})
+		})
+
+		it("blocks case variation attacks", () => {
+			const attacks = [
+				"<SCRIPT>alert(1)</SCRIPT>",
+				"<ScRiPt>alert(1)</ScRiPt>",
+				"<IMG SRC=x ONERROR=alert(1)>",
+				'<DiV OnClick="alert(1)">test</DiV>',
+				'<IFrAmE src="javascript:alert(1)"></IFrAmE>',
+			]
+			attacks.forEach((attack) => {
+				const result = sanitizeText(attack)
+				expect(result).not.toContain("alert")
+				expect(result).not.toContain("<script")
+				expect(result).not.toContain("<iframe")
+				expect(result).not.toMatch(/on\w+=/i)
+			})
+		})
+
+		it("blocks attribute quote variations", () => {
+			const attacks = [
+				// No quotes
+				"<img src=x onerror=alert(1)>",
+				// Mixed quotes
+				"<div onclick='alert(1)'>test</div>",
+				'<div onclick="alert(1)">test</div>',
+				// Backticks (less common but possible)
+				"<div onclick=`alert(1)`>test</div>",
+				// Spaces around equals
+				"<img src = x onerror = alert(1)>",
+				// Tab characters
+				"<img	onclick	=	alert(1)>test</img>",
+			]
+			attacks.forEach((attack) => {
+				const result = sanitizeText(attack)
+				expect(result).not.toContain("alert")
+				expect(result).not.toMatch(/on\w+\s*=/i)
+			})
+		})
+
+		it("blocks malformed HTML attacks", () => {
+			const attacks = [
+				// Unclosed tags
+				"<script>alert(1)",
+				"<img src=x onerror=alert(1)",
+				// Nested quotes
+				'<div onclick="alert(\\"XSS\\")">test</div>',
+				// Multiple attributes without spaces
+				"<img src=x onerror=alert(1)onload=alert(2)>",
+				// Broken attribute structure
+				"<div onclick=alert(1) onclick=alert(2)>test</div>",
+				// Comments in attributes
+				"<div on<!--comment-->click=alert(1)>test</div>",
+				// Null bytes (if they somehow make it through)
+				"<script>alert\\x00(1)</script>",
+				// Line breaks and tabs in dangerous content
+				"<script>\nalert(1)\n</script>",
+				"<img src=x\nonerror=alert(1)>",
+			]
+			attacks.forEach((attack) => {
+				const result = sanitizeText(attack)
+				expect(result).not.toContain("alert")
+				expect(result).not.toContain("<script")
+				expect(result).not.toMatch(/on\w+\s*=/i)
+			})
+		})
+
+		it("blocks protocol-based attacks comprehensively", () => {
+			const protocols = [
+				"javascript:",
+				"JAVASCRIPT:",
+				"JaVaScRiPt:",
+				"data:",
+				"DATA:",
+				"vbscript:",
+				"VBSCRIPT:",
+				"VbScRiPt:",
+				"file:",
+				"FILE:",
+				// Protocol with encoding
+				"java&#115;cript:",
+				"java&#x73;cript:",
+				// Protocol with spaces/tabs
+				"java script:",
+				"java\tscript:",
+				"java\nscript:",
+				// Protocol variations
+				"javascript&colon;",
+				"javascript&#58;",
+				"javascript&#x3a;",
+			]
+
+			protocols.forEach((protocol) => {
+				const attacks = [
+					`<a href="${protocol}alert(1)">click</a>`,
+					`<img src="${protocol}alert(1)">`,
+					`<iframe src="${protocol}alert(1)"></iframe>`,
+					`<object data="${protocol}alert(1)"></object>`,
+				]
+
+				attacks.forEach((attack) => {
+					const result = sanitizeText(attack)
+					expect(result).not.toContain("alert")
+					expect(result).not.toContain("javascript")
+					expect(result).not.toContain("vbscript")
+					expect(result).not.toContain("data:")
+					expect(result).not.toContain("<iframe")
+					expect(result).not.toContain("<object")
+				})
+			})
+		})
+
+		it("blocks SVG-based XSS attacks", () => {
+			const svgAttacks = [
+				'<svg onload="alert(1)">',
+				"<svg><script>alert(1)</script></svg>",
+				'<svg><g onload="alert(1)"></g></svg>',
+				'<svg><animateTransform onbegin="alert(1)"></animateTransform></svg>',
+				'<svg><text onactivate="alert(1)">XSS</text></svg>',
+				'<svg><use href="javascript:alert(1)"></use></svg>',
+			]
+
+			svgAttacks.forEach((attack) => {
+				const result = sanitizeText(attack)
+				expect(result).not.toContain("alert")
+				expect(result).not.toContain("<svg")
+				expect(result).not.toContain("<script")
+				expect(result).not.toMatch(/on\w+=/i)
+			})
+		})
+
+		it("blocks CSS-based XSS attempts", () => {
+			const cssAttacks = [
+				'<div style="background:url(javascript:alert(1))">test</div>',
+				'<div style="background-image:url(data:text/html,<script>alert(1)</script>)">test</div>',
+				"<style>body{background:url(javascript:alert(1))}</style>",
+				'<link rel="stylesheet" href="javascript:alert(1)">',
+				'<div style="width:expression(alert(1))">test</div>', // IE specific
+				'<div style="xss:expression(alert(1))">test</div>',
+			]
+
+			cssAttacks.forEach((attack) => {
+				const result = sanitizeText(attack)
+				expect(result).not.toContain("alert")
+				expect(result).not.toContain("javascript")
+				expect(result).not.toContain("<style")
+				expect(result).not.toContain("<link")
+				expect(result).not.toContain("expression")
+			})
+		})
+
+		it("blocks meta and link tag attacks", () => {
+			const metaAttacks = [
+				'<meta http-equiv="refresh" content="0;url=javascript:alert(1)">',
+				'<link rel="import" href="javascript:alert(1)">',
+				'<meta charset="x" http-equiv="refresh" content="1;javascript:alert(1)">',
+				'<base href="javascript:alert(1)">',
+				'<isindex action="javascript:alert(1)">',
+				'<marquee onstart="alert(1)">XSS</marquee>',
+			]
+
+			metaAttacks.forEach((attack) => {
+				const result = sanitizeText(attack)
+				expect(result).not.toContain("alert")
+				expect(result).not.toContain("javascript")
+				expect(result).not.toContain("<meta")
+				expect(result).not.toContain("<link")
+				expect(result).not.toContain("<base")
+				expect(result).not.toContain("<isindex")
+				expect(result).not.toContain("<marquee")
+			})
+		})
+
+		it("blocks form-based XSS attacks", () => {
+			const formAttacks = [
+				'<form action="javascript:alert(1)"><input type="submit"></form>',
+				'<input type="image" src="javascript:alert(1)">',
+				'<input type="submit" formaction="javascript:alert(1)">',
+				'<button formaction="javascript:alert(1)">click</button>',
+				'<select onchange="alert(1)"><option>test</option></select>',
+				'<textarea onfocus="alert(1)">content</textarea>',
+				'<keygen onfocus="alert(1)">',
+			]
+
+			formAttacks.forEach((attack) => {
+				const result = sanitizeText(attack)
+				expect(result).not.toContain("alert")
+				expect(result).not.toContain("javascript")
+				expect(result).not.toContain("<form")
+				expect(result).not.toContain("<input")
+				expect(result).not.toContain("<button")
+				expect(result).not.toContain("<select")
+				expect(result).not.toContain("<textarea")
+				expect(result).not.toContain("<keygen")
+			})
+		})
+
+		it("blocks multimedia-based XSS attacks", () => {
+			const mediaAttacks = [
+				'<audio src="javascript:alert(1)">',
+				'<video src="javascript:alert(1)">',
+				'<audio><source src="javascript:alert(1)"></audio>',
+				'<video poster="javascript:alert(1)">',
+				'<track kind="captions" src="javascript:alert(1)">',
+				'<audio oncanplay="alert(1)">',
+				'<video onloadstart="alert(1)">',
+				'<source media="all and (max-width:0) and (pointer: coarse)" onerror="alert(1)">',
+			]
+
+			mediaAttacks.forEach((attack) => {
+				const result = sanitizeText(attack)
+				expect(result).not.toContain("alert")
+				expect(result).not.toContain("javascript")
+				expect(result).not.toContain("<audio")
+				expect(result).not.toContain("<video")
+				expect(result).not.toContain("<source")
+				expect(result).not.toContain("<track")
+			})
+		})
+
+		it("blocks template and web component attacks", () => {
+			const templateAttacks = [
+				"<template><script>alert(1)</script></template>",
+				'<slot onclick="alert(1)">content</slot>',
+				'<custom-element onclick="alert(1)">test</custom-element>',
+				'<template id="x"><img src=x onerror="alert(1)"></template>',
+				"<shadow-root><script>alert(1)</script></shadow-root>",
+			]
+
+			templateAttacks.forEach((attack) => {
+				const result = sanitizeText(attack)
+				expect(result).not.toContain("alert")
+				expect(result).not.toContain("<script")
+				expect(result).not.toContain("<template")
+				expect(result).not.toContain("<slot")
+				expect(result).not.toMatch(/on\w+=/i)
+			})
+		})
+
+		it("blocks whitespace and unicode evasion attempts", () => {
+			const evasionAttacks = [
+				// Various whitespace characters
+				"<img\tsrc=x\tonerror=alert(1)>",
+				"<img\nsrc=x\nonerror=alert(1)>",
+				"<img\rsrc=x\ronerror=alert(1)>",
+				"<img\f src=x\f onerror=alert(1)>",
+				// Zero-width characters (if they somehow make it through)
+				"<img src=x onerror=al\u200Bert(1)>",
+				"<script>al\u200Bert(1)</script>",
+				// Unicode normalization attacks
+				"<img src=x onerror=\u0061\u006C\u0065\u0072\u0074(1)>",
+				// Mixed unicode and ASCII
+				"<script>\u0061lert(1)</script>",
+			]
+
+			evasionAttacks.forEach((attack) => {
+				const result = sanitizeText(attack)
+				expect(result).not.toContain("alert")
+				expect(result).not.toContain("<script")
+				expect(result).not.toMatch(/on\w+\s*=/i)
+			})
+		})
+
+		it("blocks OWASP Top 10 XSS vectors", () => {
+			const owaspVectors = [
+				// OWASP XSS Filter Evasion Cheat Sheet vectors
+				"<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>",
+				'<IMG SRC=javascript:alert("XSS")>',
+				"<IMG SRC=javascript:alert('XSS')>",
+				'<IMG """><SCRIPT>alert("XSS")</SCRIPT>">',
+				"<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>",
+				"<IFRAME SRC=\"javascript:alert('XSS');\"></IFRAME>",
+				"<BODY BACKGROUND=\"javascript:alert('XSS')\">",
+				"<BODY ONLOAD=alert('XSS')>",
+				"<IMG LOWSRC=\"javascript:alert('XSS')\">",
+				"<BGSOUND SRC=\"javascript:alert('XSS');\">",
+				"<BR SIZE=\"&{alert('XSS')}\">",
+				"<LAYER SRC=\"javascript:alert('XSS')\"></LAYER>",
+				'<LINK REL="stylesheet" HREF="javascript:alert(\'XSS\');">',
+				"<DIV STYLE=\"background-image:\\0075\\0072\\006C\\0028'\\006a\\0061\\0076\\0061\\0073\\0063\\0072\\0069\\0070\\0074\\003a\\0061\\006c\\0065\\0072\\0074\\0028.1027\\0058.1053\\0053\\0027\\0029'\\0029\">",
+				"<STYLE>@im\\port'\\ja\\vasc\\ript:alert(\"XSS\")';</STYLE>",
+				'<XSS STYLE="behavior: url(xss.htc);">',
+				'<STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE>',
+			]
+
+			owaspVectors.forEach((vector) => {
+				const result = sanitizeText(vector)
+				expect(result).not.toContain("alert")
+				expect(result).not.toContain("javascript")
+				expect(result).not.toContain("<script")
+				expect(result).not.toContain("<iframe")
+				expect(result).not.toContain("<style")
+				expect(result).not.toContain("<link")
+				expect(result).not.toMatch(/on\w+\s*=/i)
+			})
+		})
+
+		it("handles normalize function edge case", () => {
+			const inputWithSpecialChars = "ＡＢＣ＜ｓｃｒｉｐｔ＞ａｌｅｒｔ"
+			const result = sanitizeText(inputWithSpecialChars)
+			expect(result).not.toContain("script")
+			expect(result).not.toContain("alert")
+		})
+	})
+})