Approve tool use

tests/unit/sanitize.test.ts

@@ -0,0 +1,117 @@
+/**
+ * Unit Tests for Sanitization Utilities
+ */
+
+import { describe, it, expect } from '@playwright/test';
+import { sanitizeHTML, sanitizeURL, sanitizePlainText, containsSuspiciousContent } from '@/lib/sanitize';
+
+describe('sanitizeURL', () => {
+  it('should allow valid http URLs', () => {
+    expect(sanitizeURL('http://example.com')).toBe('http://example.com');
+  });
+
+  it('should allow valid https URLs', () => {
+    expect(sanitizeURL('https://example.com/path?query=value')).toBe('https://example.com/path?query=value');
+  });
+
+  it('should allow valid mailto URLs', () => {
+    expect(sanitizeURL('mailto:user@example.com')).toBe('mailto:user@example.com');
+  });
+
+  it('should block javascript: protocol', () => {
+    expect(sanitizeURL('javascript:alert("XSS")')).toBe('#');
+  });
+
+  it('should block data: protocol', () => {
+    expect(sanitizeURL('data:text/html,<script>alert("XSS")</script>')).toBe('#');
+  });
+
+  it('should handle invalid URLs', () => {
+    expect(sanitizeURL('not a url')).toBe('#');
+    expect(sanitizeURL('')).toBe('#');
+  });
+
+  it('should handle null/undefined gracefully', () => {
+    expect(sanitizeURL(null as any)).toBe('#');
+    expect(sanitizeURL(undefined as any)).toBe('#');
+  });
+});
+
+describe('sanitizePlainText', () => {
+  it('should escape HTML entities', () => {
+    expect(sanitizePlainText('<script>alert("XSS")</script>'))
+      .toBe('&lt;script&gt;alert(&quot;XSS&quot;)&lt;&#x2F;script&gt;');
+  });
+
+  it('should escape ampersands', () => {
+    expect(sanitizePlainText('Tom & Jerry')).toBe('Tom &amp; Jerry');
+  });
+
+  it('should escape quotes', () => {
+    expect(sanitizePlainText('"Hello" \'World\'')).toContain('&quot;');
+    expect(sanitizePlainText('"Hello" \'World\'')).toContain('&#x27;');
+  });
+
+  it('should handle plain text without changes', () => {
+    expect(sanitizePlainText('Hello World')).toBe('Hello World');
+  });
+
+  it('should handle empty strings', () => {
+    expect(sanitizePlainText('')).toBe('');
+  });
+});
+
+describe('containsSuspiciousContent', () => {
+  it('should detect script tags', () => {
+    expect(containsSuspiciousContent('<script>alert(1)</script>')).toBe(true);
+    expect(containsSuspiciousContent('<SCRIPT>alert(1)</SCRIPT>')).toBe(true);
+  });
+
+  it('should detect javascript: protocol', () => {
+    expect(containsSuspiciousContent('javascript:alert(1)')).toBe(true);
+    expect(containsSuspiciousContent('JAVASCRIPT:alert(1)')).toBe(true);
+  });
+
+  it('should detect event handlers', () => {
+    expect(containsSuspiciousContent('<img onerror="alert(1)">')).toBe(true);
+    expect(containsSuspiciousContent('<div onclick="alert(1)">')).toBe(true);
+  });
+
+  it('should detect iframes', () => {
+    expect(containsSuspiciousContent('<iframe src="evil.com"></iframe>')).toBe(true);
+  });
+
+  it('should not flag safe content', () => {
+    expect(containsSuspiciousContent('This is a safe message')).toBe(false);
+    expect(containsSuspiciousContent('Email: user@example.com')).toBe(false);
+  });
+});
+
+describe('sanitizeHTML', () => {
+  it('should allow safe tags', () => {
+    const html = '<p>Hello <strong>world</strong></p>';
+    const result = sanitizeHTML(html);
+    expect(result).toContain('<p>');
+    expect(result).toContain('<strong>');
+  });
+
+  it('should remove script tags', () => {
+    const html = '<p>Hello</p><script>alert("XSS")</script>';
+    const result = sanitizeHTML(html);
+    expect(result).not.toContain('<script>');
+    expect(result).toContain('<p>');
+  });
+
+  it('should remove event handlers', () => {
+    const html = '<p onclick="alert(1)">Click me</p>';
+    const result = sanitizeHTML(html);
+    expect(result).not.toContain('onclick');
+  });
+
+  it('should allow safe links', () => {
+    const html = '<a href="https://example.com" target="_blank" rel="noopener">Link</a>';
+    const result = sanitizeHTML(html);
+    expect(result).toContain('href');
+    expect(result).toContain('target');
+  });
+});