diff --git a/apps/server/src/services/utils.spec.ts b/apps/server/src/services/utils.spec.ts
index 1a69d7dd17..bf7fda5570 100644
--- a/apps/server/src/services/utils.spec.ts
+++ b/apps/server/src/services/utils.spec.ts
@@ -705,3 +705,110 @@ describe("#slugify", () => {
expect(result).toBe(expectedSlug);
});
});
+
+describe("#sanitizeSvg", () => {
+ it("should remove script elements", () => {
+ const maliciousSvg = '';
+ const result = utils.sanitizeSvg(maliciousSvg);
+ expect(result).toBe('');
+ });
+
+ it("should remove script elements with attributes", () => {
+ const maliciousSvg = '';
+ const result = utils.sanitizeSvg(maliciousSvg);
+ expect(result).toBe('');
+ });
+
+ it("should remove multiline script elements", () => {
+ const maliciousSvg = ``;
+ const result = utils.sanitizeSvg(maliciousSvg);
+ expect(result).toBe('');
+ });
+
+ it("should remove onclick event handlers with double quotes", () => {
+ const maliciousSvg = '';
+ const result = utils.sanitizeSvg(maliciousSvg);
+ expect(result).toBe('');
+ });
+
+ it("should remove onclick event handlers with single quotes", () => {
+ const maliciousSvg = "";
+ const result = utils.sanitizeSvg(maliciousSvg);
+ expect(result).toBe('');
+ });
+
+ it("should remove onload event handlers", () => {
+ const maliciousSvg = '';
+ const result = utils.sanitizeSvg(maliciousSvg);
+ expect(result).toBe('');
+ });
+
+ it("should remove onerror event handlers", () => {
+ const maliciousSvg = '';
+ const result = utils.sanitizeSvg(maliciousSvg);
+ expect(result).toBe('');
+ });
+
+ it("should remove onmouseover event handlers", () => {
+ const maliciousSvg = '';
+ const result = utils.sanitizeSvg(maliciousSvg);
+ expect(result).toBe('');
+ });
+
+ it("should remove event handlers without quotes", () => {
+ const maliciousSvg = '';
+ const result = utils.sanitizeSvg(maliciousSvg);
+ expect(result).toBe('');
+ });
+
+ it("should replace javascript: URLs in href with #", () => {
+ const maliciousSvg = '';
+ const result = utils.sanitizeSvg(maliciousSvg);
+ expect(result).toBe('');
+ });
+
+ it("should replace javascript: URLs in xlink:href with #", () => {
+ const maliciousSvg = '';
+ const result = utils.sanitizeSvg(maliciousSvg);
+ expect(result).toBe('');
+ });
+
+ it("should preserve valid SVG content", () => {
+ const validSvg = '';
+ const result = utils.sanitizeSvg(validSvg);
+ expect(result).toBe(validSvg);
+ });
+
+ it("should preserve valid href URLs", () => {
+ const validSvg = '';
+ const result = utils.sanitizeSvg(validSvg);
+ expect(result).toBe(validSvg);
+ });
+
+ it("should handle multiple malicious elements", () => {
+ const maliciousSvg = '';
+ const result = utils.sanitizeSvg(maliciousSvg);
+ expect(result).toBe('');
+ });
+
+ it("should handle empty SVG", () => {
+ const emptySvg = '';
+ const result = utils.sanitizeSvg(emptySvg);
+ expect(result).toBe('');
+ });
+
+ it("should be case insensitive for script tags", () => {
+ const maliciousSvg = '';
+ const result = utils.sanitizeSvg(maliciousSvg);
+ expect(result).toBe('');
+ });
+
+ it("should be case insensitive for event handlers", () => {
+ const maliciousSvg = '';
+ const result = utils.sanitizeSvg(maliciousSvg);
+ expect(result).toBe('');
+ });
+});