UNPKG

payload

Version:

Node, React, Headless CMS and Application Framework built on Next.js

payloadcms.com

payloadcms/payload

133 lines (132 loc) 6.25 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
import { sanitizeUserDataForEmail } from './sanitizeUserDataForEmail'; describe('sanitizeUserDataForEmail', ()=>{ it('should remove anchor tags', ()=>{ const input = '<a href="https://example.com">Click me</a>'; const result = sanitizeUserDataForEmail(input); expect(result).toBe('Click me'); }); it('should remove script tags', ()=>{ const unsanitizedData = '<script>alert</script>'; const sanitizedData = sanitizeUserDataForEmail(unsanitizedData); expect(sanitizedData).toBe('alert'); }); it('should remove mixed-case script tags', ()=>{ const input = '<ScRipT>alert(1)</sCrIpT>'; const result = sanitizeUserDataForEmail(input); expect(result).toBe('alert1'); }); it('should remove embedded base64-encoded scripts', ()=>{ const input = '<img src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">'; const result = sanitizeUserDataForEmail(input); expect(result).toBe(''); }); it('should remove iframe elements', ()=>{ const input = '<iframe src="malicious.com"></iframe>Frame'; const result = sanitizeUserDataForEmail(input); expect(result).toBe('Frame'); }); it('should remove javascript: links in attributes', ()=>{ const input = '<a href="javascript:alert(1)">click</a>'; const result = sanitizeUserDataForEmail(input); expect(result).toBe('click'); }); it('should remove mismatched script input', ()=>{ const input = '<script>console.log("test")'; const result = sanitizeUserDataForEmail(input); expect(result).toBe('console.log\"test\"'); }); it('should remove encoded scripts via HTML entities', ()=>{ const input = '&#x3C;script&#x3E;alert(1)&#x3C;/script&#x3E;'; const result = sanitizeUserDataForEmail(input); expect(result).toBe('alert1'); }); it('should remove template injection syntax', ()=>{ const input = '{{7*7}}'; const result = sanitizeUserDataForEmail(input); expect(result).toBe('77'); }); it('should remove invisible zero-width characters', ()=>{ const input = 'a\u200Bler\u200Bt("XSS")'; const result = sanitizeUserDataForEmail(input); expect(result).toBe('alert\"XSS\"'); }); it('should remove CSS expressions within style attributes', ()=>{ const input = '<div style="width: expression(alert(\'XSS\'));">Hello</div>'; const result = sanitizeUserDataForEmail(input); expect(result).toBe('Hello'); }); it('should not render SVG with onload event', ()=>{ const input = '<svg onload="alert(\'XSS\')">Graphic</svg>'; const result = sanitizeUserDataForEmail(input); expect(result).toBe('Graphic'); }); it('should not allow backtick-based patterns', ()=>{ const input = '`alert("XSS")`'; const result = sanitizeUserDataForEmail(input); expect(result).toBe('alert\"XSS\"'); }); it('should preserve allowed punctuation', ()=>{ const input = `Hello "world" - it's safe!`; const result = sanitizeUserDataForEmail(input); expect(result).toBe(`Hello "world" - it's safe!`); }); it('should return empty string for non-string input', ()=>{ expect(sanitizeUserDataForEmail(null)).toBe(''); expect(sanitizeUserDataForEmail(undefined)).toBe(''); expect(sanitizeUserDataForEmail(123)).toBe(''); expect(sanitizeUserDataForEmail({})).toBe(''); }); it('should return empty string for an empty string', ()=>{ expect(sanitizeUserDataForEmail('')).toBe(''); }); it('should collapse excessive whitespace', ()=>{ const input = 'This is \n\n a test'; expect(sanitizeUserDataForEmail(input)).toBe('This is a test'); }); it('should truncate to maxLength characters', ()=>{ const input = 'a'.repeat(200); const result = sanitizeUserDataForEmail(input, 50); expect(result.length).toBe(50); }); it('should remove characters outside allowed punctuation', ()=>{ const input = 'Hello @#$%^*()_+=[]{}|\\~`'; const result = sanitizeUserDataForEmail(input); expect(result).toBe('Hello'); }); it('should sanitize syntax in regex-like input', ()=>{ const input = '(?=XSS)(?:abc)'; const result = sanitizeUserDataForEmail(input); expect(result).toBe('XSSabc'); }); it('should handle string of only control characters', ()=>{ const input = '\x01\x02\x03\x04'; const result = sanitizeUserDataForEmail(input); expect(result).toBe(''); }); it('should sanitize complex script attempt with mixed encoding', ()=>{ const input = '&#x3C;script&#x3E;alert(String.fromCharCode(88,83,83))&#x3C;/script&#x3E;'; const result = sanitizeUserDataForEmail(input); expect(result).toBe('alertString.fromCharCode88,83,83'); }); it('should handle deeply nested HTML tags correctly', ()=>{ const input = `<div><section><article><p>Hello <strong>world <em>from <span>deep <a href="#">tags</a></span></em></strong></p></article></section></div>`; const result = sanitizeUserDataForEmail(input); expect(result).toBe('Hello world from deep tags'); }); it('should preserve accented Spanish characters', ()=>{ const input = '¡Hola! ¿Cómo estás? ÁÉÍÓÚ ÜÑ ñáéíóú ü'; const result = sanitizeUserDataForEmail(input); expect(result).toBe('¡Hola! ¿Cómo estás? ÁÉÍÓÚ ÜÑ ñáéíóú ü'); }); it('should preserve Arabic characters with diacritics', ()=>{ const input = 'مَرْحَبًا بِكَ فِي الْمَوْقِعِ'; const result = sanitizeUserDataForEmail(input); expect(result).toBe('مَرْحَبًا بِكَ فِي الْمَوْقِعِ'); }); it('should preserve Japanese characters', ()=>{ const input = 'こんにちゎ、世界!!〆'; const result = sanitizeUserDataForEmail(input); expect(result).toBe('こんにちゎ、世界!!〆'); }); }); //# sourceMappingURL=sanitizeUserDataForEmail.spec.js.map