// SPDX-License-Identifier: 0BSD import { describe, it, expect } from "vitest"; import { buildMeshchatMapUri, buildWebHashMapUrl, findMapUriInContent, mapLinkKindFromMessage, parseMeshchatMapUri, } from "@/js/mapLinkUtils.js"; const XSS_MARKERS = [ "", '">', "javascript:alert(1)", "';DROP TABLE t;--", "", "\u003cscript\u003e", ]; describe("mapLinkUtils security and XSS-related parsing", () => { it("round-trips map URIs with XSS-like label and layers as plain strings", () => { for (const marker of XSS_MARKERS) { const uri = buildMeshchatMapUri({ lat: 1, lon: 2, zoom: 5, layers: marker, label: marker, }); const p = parseMeshchatMapUri(uri); expect(p).not.toBeNull(); expect(p.layers).toBe(marker); expect(p.label).toBe(marker); } }); it("findMapUriInContent stops before angle brackets and whitespace", () => { expect(findMapUriInContent("x meshchatx://map?lat=1&lon=2&z=3 { const uri = "meshchatx://map?lat=0&lon=0&z=3&label=ping"; expect(mapLinkKindFromMessage(" " + uri, null)).toBe("view"); expect(mapLinkKindFromMessage("not a ping MeshChatX map ping: " + uri, null)).toBe("view"); expect(mapLinkKindFromMessage("MeshChatX map ping: " + uri, parseMeshchatMapUri(uri))).toBe("ping"); expect(mapLinkKindFromMessage("MeshChatX map ping: fake", null)).toBe("view"); expect(mapLinkKindFromMessage("hello", parseMeshchatMapUri(uri))).toBe("ping"); expect(mapLinkKindFromMessage("hello", { label: "not-ping" })).toBe("view"); }); it("buildWebHashMapUrl encodes dangerous characters in query values", () => { const marker = ""; const u = buildWebHashMapUrl({ lat: 0, lon: 0, zoom: 4, layers: marker, label: marker, }); expect(u).not.toContain("