carbon-tokenization

Running

App Files Files Community

carbon-tokenization / backend /tests /security.test.ts

tfrere HF Staff

refactor(backend/publisher): transformer pipeline + shared registry + shiki highlighting

7843436 about 2 months ago

raw

history blame contribute delete

2.56 kB

	/**
	* Security Tests (Section 4 of TESTS.md)
	*
	* Tests XSS escaping in published HTML output.
	*/
	import { describe, it, expect } from "vitest";
	import { renderArticleHTML, type PublishMeta } from "../src/publisher/html-renderer.js";

	const EMPTY_CSS = {
	variables: ":root { --text-color: #000; }",
	reset: "",
	base: "",
	layout: "",
	print: "",
	editorTokens: "",
	article: "",
	components: "",
	publisher: "",
	};

	const BASE_META: PublishMeta = {
	title: "Test",
	description: "Test description",
	authors: [],
	affiliations: [],
	date: "2025-01-01",
	};

	const MINIMAL_JSON = {
	type: "doc",
	content: [{ type: "paragraph", content: [{ type: "text", text: "Hello" }] }],
	};

	describe("4.4 XSS prevention", () => {
	it("4.4.1 licence field is escaped in published HTML", async () => {
	const meta: PublishMeta = {
	...BASE_META,
	licence: '<script>alert("xss")</script>',
	};
	const html = await renderArticleHTML(MINIMAL_JSON, meta, EMPTY_CSS);

	expect(html).not.toContain('<script>alert("xss")</script>');
	expect(html).toContain("<script>");
	});

	it("4.4.2 title is escaped in published HTML", async () => {
	const meta: PublishMeta = {
	...BASE_META,
	title: '<img src=x onerror="alert(1)">',
	};
	const html = await renderArticleHTML(MINIMAL_JSON, meta, EMPTY_CSS);

	expect(html).not.toContain('<img src=x onerror="alert(1)">');
	expect(html).toContain("<img");
	});

	it("4.4.3 description is escaped in meta tags", async () => {
	const meta: PublishMeta = {
	...BASE_META,
	description: '"><script>alert(1)</script>',
	};
	const html = await renderArticleHTML(MINIMAL_JSON, meta, EMPTY_CSS);

	expect(html).not.toContain('"><script>');
	expect(html).toContain(""><script>");
	});

	it("4.4.4 author names are escaped", async () => {
	const meta: PublishMeta = {
	...BASE_META,
	authors: [
	{
	name: '<script>alert(1)</script>',
	affiliationIndices: [],
	affiliationNames: [],
	},
	],
	};
	const html = await renderArticleHTML(MINIMAL_JSON, meta, EMPTY_CSS);

	expect(html).not.toContain('<script>alert(1)</script>');
	expect(html).toContain("<script>");
	});

	it("4.4.5 DOI is escaped in links", async () => {
	const meta: PublishMeta = {
	...BASE_META,
	doi: '"><script>alert(1)</script>',
	};
	const html = await renderArticleHTML(MINIMAL_JSON, meta, EMPTY_CSS);

	expect(html).not.toContain('"><script>');
	});
	});