'use strict'; // npx mocha test-XSS.js require('should'); const checkXSS = require('../app/src/XSS'); describe('test-XSS', () => { describe('1. Basic Data Types Handling', () => { it('should return numbers and booleans unchanged', () => { checkXSS(42).should.equal(42); checkXSS(true).should.equal(true); }); it('should return null and undefined unchanged', () => { should.not.exist(checkXSS(null)); should.not.exist(checkXSS(undefined)); }); }); describe('2. Simple String Handling', () => { it('should sanitize strings with XSS injections', () => { const maliciousString = ''; const sanitizedString = checkXSS(maliciousString); sanitizedString.should.not.containEql(''); }); it('should sanitize complex XSS injections', () => { const complexString = ''; const sanitizedString = checkXSS(complexString); sanitizedString.should.not.containEql('onload'); sanitizedString.should.equal(''); }); it('should sanitize HTML attributes', () => { const maliciousHtml = 'click me'; const sanitizedHtml = checkXSS(maliciousHtml); sanitizedHtml.should.not.containEql('javascript:'); sanitizedHtml.should.containEql('click me'); }); it('should sanitize embedded scripts in HTML', () => { const maliciousHtml = '
'; const sanitizedHtml = checkXSS(maliciousHtml); sanitizedHtml.should.not.containEql('', key2: 'normal string', }; const sanitizedObject = checkXSS(maliciousObject); sanitizedObject.key1.should.not.containEql(''); sanitizedObject.key2.should.equal('normal string'); }); it('should sanitize arrays with XSS injections', () => { const maliciousArray = ['', 'normal string']; const sanitizedArray = checkXSS(maliciousArray); sanitizedArray[0].should.not.containEql(''); sanitizedArray[1].should.equal('normal string'); }); it('should handle nested objects and arrays with XSS injections', () => { const nestedData = { key1: [ '', { key2: '', }, ], }; const sanitizedData = checkXSS(nestedData); sanitizedData.key1[0].should.not.containEql(''); sanitizedData.key1[1].key2.should.not.containEql('onerror'); sanitizedData.key1[1].key2.should.equal(''); }); it('should handle XSS in nested HTML elements', () => { const nestedXss = '
Click me
'; const sanitizedNestedXss = checkXSS(nestedXss); sanitizedNestedXss.should.not.containEql('onclick'); sanitizedNestedXss.should.containEql('
Click me
'); }); it('should handle XSS through malicious attributes in different tags', () => { const maliciousAttributes = 'Link'; const sanitizedAttributes = checkXSS(maliciousAttributes); sanitizedAttributes.should.not.containEql('onclick'); sanitizedAttributes.should.not.containEql('javascript:'); sanitizedAttributes.should.not.containEql('alert'); }); }); describe('4. Handling Specific Formats (JSON, Base64, etc.)', () => { it('should handle XSS in JSON data', () => { const maliciousJson = '{"key": ""}'; const sanitizedJson = checkXSS(JSON.parse(maliciousJson)); sanitizedJson.key.should.not.containEql('onerror'); sanitizedJson.key.should.equal(''); }); it('should sanitize base64 encoded content', () => { const maliciousBase64 = ''; const sanitizedBase64 = checkXSS(maliciousBase64); sanitizedBase64.should.not.containEql('onload'); sanitizedBase64.should.equal(''); }); it('should sanitize encoded HTML entities', () => { const encodedHtmlEntities = '<script>alert('xss')</script>'; const sanitizedEntities = checkXSS(encodedHtmlEntities); sanitizedEntities.should.not.containEql(''; const sanitizedSvgXss = checkXSS(svgXss); sanitizedSvgXss.should.not.containEql(''; const sanitizedDynamicXss = checkXSS(dynamicXss); sanitizedDynamicXss.should.not.containEql('onerror'); sanitizedDynamicXss.should.containEql('
'); }); }); describe('8. Handling Mixed Content', () => { it('should sanitize mixed content', () => { const mixedContent = '
Normal text more text
'; const sanitizedContent = checkXSS(mixedContent); sanitizedContent.should.not.containEql('