/** * MermaidViewer XSS Protection Tests * Tests defense-in-depth security layers for Mermaid diagram rendering */ import { describe, it, expect, vi, beforeEach } from "vitest"; import { render, waitFor } from "@testing-library/react"; import { MermaidViewer } from "./MermaidViewer"; // Mock mermaid vi.mock("mermaid", () => ({ default: { initialize: vi.fn(), render: vi.fn(), }, })); describe("MermaidViewer XSS Protection", () => { beforeEach(() => { vi.clearAllMocks(); }); describe("Script tag injection", () => { it("should block script tags in labels", async () => { const maliciousDiagram = `graph TD A[""]`; const { container } = render(); await waitFor(() => { const content = container.innerHTML; // Should not contain script tags expect(content).not.toContain(""]`; const { container } = render(); await waitFor(() => { const content = container.innerHTML.toLowerCase(); expect(content).not.toContain("'>"]`; const { container } = render(); await waitFor(() => { const content = container.innerHTML; expect(content).not.toContain("data:text/html"); expect(content).not.toContain(""]`; const { container } = render(); await waitFor(() => { const content = container.innerHTML; // SVG should be sanitized to remove scripts expect(content).not.toContain("Test", bindFunctions: vi.fn(), diagramType: "flowchart", }); const { container } = render(); await waitFor(() => { const content = container.innerHTML; // DOMPurify should remove the script tag expect(content).not.toContain("