Files
FabledCurator/tests/test_html_sanitize.py
T
2026-05-18 18:05:45 -04:00

39 lines
1.3 KiB
Python

from backend.app.utils.html_sanitize import sanitize_post_html
def test_none_and_blank_return_none():
assert sanitize_post_html(None) is None
assert sanitize_post_html("") is None
assert sanitize_post_html(" \n ") is None
def test_allowed_tags_survive():
out = sanitize_post_html("<p>hi <strong>there</strong><br><em>x</em></p>")
assert "<p>" in out and "<strong>" in out and "<br>" in out and "<em>" in out
def test_disallowed_tags_and_attrs_stripped_text_kept():
out = sanitize_post_html('<script>alert(1)</script><p onclick="x">body</p>')
assert "<script>" not in out
assert "alert(1)" not in out # clean_content removes script *content* too
assert "onclick" not in out
assert "body" in out
def test_div_stripped_but_text_preserved():
out = sanitize_post_html("<div><span>keep</span> me</div>")
assert "<div>" not in out and "<span>" not in out
assert "keep" in out and "me" in out
def test_links_get_rel_and_keep_http():
out = sanitize_post_html('<a href="https://example.com/p">link</a>')
assert 'href="https://example.com/p"' in out
assert 'rel="noopener noreferrer"' in out
def test_javascript_href_dropped():
out = sanitize_post_html('<a href="javascript:alert(1)">x</a>')
assert "javascript:" not in out
assert "x" in out # text preserved, dangerous href removed