diff --git a/packages/web-shell/client/components/messages/Markdown.test.ts b/packages/web-shell/client/components/messages/Markdown.test.ts index 716c6a9154..72e880e2b9 100644 --- a/packages/web-shell/client/components/messages/Markdown.test.ts +++ b/packages/web-shell/client/components/messages/Markdown.test.ts @@ -4,7 +4,7 @@ import { act, createElement } from 'react'; import { createRoot } from 'react-dom/client'; import { describe, expect, it } from 'vitest'; -import { isSafeHref, isSafeImageSrc, Markdown, sanitizeSvg } from './Markdown'; +import { isSafeHref, isSafeImageSrc, Markdown } from './Markdown'; Object.assign(globalThis, { IS_REACT_ACT_ENVIRONMENT: true }); @@ -124,154 +124,3 @@ describe('Markdown mermaid rendering', () => { container.remove(); }); }); - -describe('sanitizeSvg', () => { - it('strips script elements', () => { - const svg = - ''; - const result = sanitizeSvg(svg); - expect(result).not.toContain(' { - const svg = - '
Label
'; - const result = sanitizeSvg(svg); - expect(result).toContain('foreignObject'); - expect(result).toContain('Label'); - }); - - it('strips on* handlers inside foreignObject', () => { - const svg = - '
Label
'; - const result = sanitizeSvg(svg); - expect(result).toContain('foreignObject'); - expect(result).not.toContain('onclick'); - }); - - it('keeps style elements with safe CSS (mermaid theming)', () => { - const svg = - ''; - const result = sanitizeSvg(svg); - expect(result).toContain(' { - const svg = - ''; - const result = sanitizeSvg(svg); - expect(result).toContain(' { - const svg = - ''; - const result = sanitizeSvg(svg); - expect(result).toContain('url(#grad)'); - expect(result).not.toContain('url(https://'); - }); - - it('strips image elements (external resource loading)', () => { - const svg = - ''; - const result = sanitizeSvg(svg); - expect(result).not.toContain(' { - const svg = - ''; - const result = sanitizeSvg(svg); - expect(result).not.toContain('feImage'); - }); - - it('keeps use elements with fragment-only href', () => { - const svg = - ''; - const result = sanitizeSvg(svg); - expect(result).toContain(' { - const svg = - ''; - const result = sanitizeSvg(svg); - expect(result).toContain(' { - const svg = - ''; - const result = sanitizeSvg(svg); - expect(result).not.toContain(' { - const svg = ''; - const result = sanitizeSvg(svg); - expect(result).not.toContain(' { - const svg = - ''; - const result = sanitizeSvg(svg); - expect(result).not.toContain('onclick'); - expect(result).not.toContain('onload'); - }); - - it('removes href attributes with javascript: scheme', () => { - const svg = - 'click'; - const result = sanitizeSvg(svg); - expect(result).not.toContain('javascript:'); - }); - - it('removes href attributes with external URLs', () => { - const svg = - 'link'; - const result = sanitizeSvg(svg); - expect(result).not.toContain('https://evil.com'); - }); - - it('removes style attributes with external url()', () => { - const svg = - ''; - const result = sanitizeSvg(svg); - expect(result).not.toContain('url(https://'); - }); - - it('keeps style attributes with fragment-only url()', () => { - const svg = - ''; - const result = sanitizeSvg(svg); - expect(result).toContain('url(#gradient0)'); - }); - - it('strips animate elements', () => { - const svg = - ''; - const result = sanitizeSvg(svg); - expect(result).not.toContain(' { - expect(sanitizeSvg('')).toBe(''); - }); - - it('returns empty string for empty input', () => { - expect(sanitizeSvg('')).toBe(''); - }); - - it('passes through safe SVG content', () => { - const svg = - ''; - const result = sanitizeSvg(svg); - expect(result).toContain(' is kept (not removed): -// Mermaid embeds