blob: 6c709bf760a868eebb535fdd7f175ac0de075b1b (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
|
import { describe, it, expect } from "bun:test";
import { gcTick } from "./gc";
describe("escapeHTML", () => {
// The matrix of cases we need to test for:
// 1. Works with short strings
// 2. Works with long strings
// 3. Works with latin1 strings
// 4. Works with utf16 strings
// 5. Works when the text to escape is somewhere in the middle
// 6. Works when the text to escape is in the beginning
// 7. Works when the text to escape is in the end
// 8. Returns the same string when there's no need to escape
it("works", () => {
expect(escapeHTML("absolutely nothing to do here")).toBe(
"absolutely nothing to do here"
);
expect(escapeHTML("<script>alert(1)</script>")).toBe(
"<script>alert(1)</script>"
);
expect(escapeHTML("<")).toBe("<");
expect(escapeHTML(">")).toBe(">");
expect(escapeHTML("&")).toBe("&");
expect(escapeHTML("'")).toBe("'");
expect(escapeHTML('"')).toBe(""");
expect(escapeHTML("\n")).toBe("\n");
expect(escapeHTML("\r")).toBe("\r");
expect(escapeHTML("\t")).toBe("\t");
expect(escapeHTML("\f")).toBe("\f");
expect(escapeHTML("\v")).toBe("\v");
expect(escapeHTML("\b")).toBe("\b");
expect(escapeHTML("\u00A0")).toBe("\u00A0");
expect(escapeHTML("<script>ab")).toBe("<script>ab");
expect(escapeHTML("<script>")).toBe("<script>");
expect(escapeHTML("<script><script>")).toBe("<script><script>");
expect(escapeHTML("lalala" + "<script>alert(1)</script>" + "lalala")).toBe(
"lalala<script>alert(1)</script>lalala"
);
expect(escapeHTML("<script>alert(1)</script>" + "lalala")).toBe(
"<script>alert(1)</script>lalala"
);
expect(escapeHTML("lalala" + "<script>alert(1)</script>")).toBe(
"lalala" + "<script>alert(1)</script>"
);
expect(escapeHTML("What does ๐ mean?")).toBe("What does ๐ mean?");
const output = escapeHTML("<What does ๐");
expect(output).toBe("<What does ๐");
expect(escapeHTML("<div>What does ๐ mean in text?")).toBe(
"<div>What does ๐ mean in text?"
);
expect(
escapeHTML(
("lalala" + "<script>alert(1)</script>" + "lalala").repeat(900)
)
).toBe("lalala<script>alert(1)</script>lalala".repeat(900));
expect(
escapeHTML(("<script>alert(1)</script>" + "lalala").repeat(900))
).toBe("<script>alert(1)</script>lalala".repeat(900));
expect(
escapeHTML(("lalala" + "<script>alert(1)</script>").repeat(900))
).toBe(("lalala" + "<script>alert(1)</script>").repeat(900));
// the positions of the unicode codepoint are important
// our simd code for U16 is at 8 bytes, so we need to especially check the boundaries
expect(
escapeHTML("๐lalala" + "<script>alert(1)</script>" + "lalala")
).toBe("๐lalala<script>alert(1)</script>lalala");
expect(escapeHTML("<script>๐alert(1)</script>" + "lalala")).toBe(
"<script>๐alert(1)</script>lalala"
);
expect(escapeHTML("<script>alert(1)๐</script>" + "lalala")).toBe(
"<script>alert(1)๐</script>lalala"
);
expect(escapeHTML("<script>alert(1)</script>" + "๐lalala")).toBe(
"<script>alert(1)</script>๐lalala"
);
expect(escapeHTML("<script>alert(1)</script>" + "lal๐ala")).toBe(
"<script>alert(1)</script>lal๐ala"
);
expect(
escapeHTML("<script>alert(1)</script>" + "lal๐ala".repeat(10))
).toBe("<script>alert(1)</script>" + "lal๐ala".repeat(10));
for (let i = 1; i < 10; i++)
expect(escapeHTML("<script>alert(1)</script>" + "la๐".repeat(i))).toBe(
"<script>alert(1)</script>" + "la๐".repeat(i)
);
expect(escapeHTML("la๐" + "<script>alert(1)</script>")).toBe(
"la๐" + "<script>alert(1)</script>"
);
expect(
escapeHTML(("lalala" + "<script>alert(1)</script>๐").repeat(1))
).toBe(("lalala" + "<script>alert(1)</script>๐").repeat(1));
expect(escapeHTML("๐".repeat(100))).toBe("๐".repeat(100));
expect(escapeHTML("๐<".repeat(100))).toBe("๐<".repeat(100));
expect(escapeHTML("<๐>".repeat(100))).toBe("<๐>".repeat(100));
});
});
|
