From 9bc18b774e39a53fc83c8d6a07871256b14e6fb1 Mon Sep 17 00:00:00 2001 From: Elian Doran Date: Sun, 5 Apr 2026 12:07:55 +0300 Subject: [PATCH] test(server): add unit tests for sanitizeSvg --- apps/server/src/services/utils.spec.ts | 107 +++++++++++++++++++++++++ 1 file changed, 107 insertions(+) diff --git a/apps/server/src/services/utils.spec.ts b/apps/server/src/services/utils.spec.ts index 1a69d7dd17..bf7fda5570 100644 --- a/apps/server/src/services/utils.spec.ts +++ b/apps/server/src/services/utils.spec.ts @@ -705,3 +705,110 @@ describe("#slugify", () => { expect(result).toBe(expectedSlug); }); }); + +describe("#sanitizeSvg", () => { + it("should remove script elements", () => { + const maliciousSvg = ''; + const result = utils.sanitizeSvg(maliciousSvg); + expect(result).toBe(''); + }); + + it("should remove script elements with attributes", () => { + const maliciousSvg = ''; + const result = utils.sanitizeSvg(maliciousSvg); + expect(result).toBe(''); + }); + + it("should remove multiline script elements", () => { + const maliciousSvg = ``; + const result = utils.sanitizeSvg(maliciousSvg); + expect(result).toBe(''); + }); + + it("should remove onclick event handlers with double quotes", () => { + const maliciousSvg = ''; + const result = utils.sanitizeSvg(maliciousSvg); + expect(result).toBe(''); + }); + + it("should remove onclick event handlers with single quotes", () => { + const maliciousSvg = ""; + const result = utils.sanitizeSvg(maliciousSvg); + expect(result).toBe(''); + }); + + it("should remove onload event handlers", () => { + const maliciousSvg = ''; + const result = utils.sanitizeSvg(maliciousSvg); + expect(result).toBe(''); + }); + + it("should remove onerror event handlers", () => { + const maliciousSvg = ''; + const result = utils.sanitizeSvg(maliciousSvg); + expect(result).toBe(''); + }); + + it("should remove onmouseover event handlers", () => { + const maliciousSvg = ''; + const result = utils.sanitizeSvg(maliciousSvg); + expect(result).toBe(''); + }); + + it("should remove event handlers without quotes", () => { + const maliciousSvg = ''; + const result = utils.sanitizeSvg(maliciousSvg); + expect(result).toBe(''); + }); + + it("should replace javascript: URLs in href with #", () => { + const maliciousSvg = 'Click me'; + const result = utils.sanitizeSvg(maliciousSvg); + expect(result).toBe('Click me'); + }); + + it("should replace javascript: URLs in xlink:href with #", () => { + const maliciousSvg = 'Click me'; + const result = utils.sanitizeSvg(maliciousSvg); + expect(result).toBe('Click me'); + }); + + it("should preserve valid SVG content", () => { + const validSvg = ''; + const result = utils.sanitizeSvg(validSvg); + expect(result).toBe(validSvg); + }); + + it("should preserve valid href URLs", () => { + const validSvg = 'Link'; + const result = utils.sanitizeSvg(validSvg); + expect(result).toBe(validSvg); + }); + + it("should handle multiple malicious elements", () => { + const maliciousSvg = 'link'; + const result = utils.sanitizeSvg(maliciousSvg); + expect(result).toBe('link'); + }); + + it("should handle empty SVG", () => { + const emptySvg = ''; + const result = utils.sanitizeSvg(emptySvg); + expect(result).toBe(''); + }); + + it("should be case insensitive for script tags", () => { + const maliciousSvg = ''; + const result = utils.sanitizeSvg(maliciousSvg); + expect(result).toBe(''); + }); + + it("should be case insensitive for event handlers", () => { + const maliciousSvg = ''; + const result = utils.sanitizeSvg(maliciousSvg); + expect(result).toBe(''); + }); +});