SecureBitChat/securebit-chat
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
cc7f850e7df87d5ec9b782d8c24ca888550769da
securebit-chat/tests/incoming-message-sanitization.test.mjs
T
lockbitchat 0a42aa13c3
CodeQL Analysis / Analyze CodeQL (push) Has been cancelled
Details
Deploy Application / deploy (push) Has been cancelled
Details
Mirror to Codeberg / mirror (push) Has been cancelled
Details
Mirror to PrivacyGuides / mirror (push) Has been cancelled
Details
release: prepare v4.8.5 security hardening release
2026-05-17 14:48:52 -04:00

58 lines
2.1 KiB
JavaScript
Raw Blame History

import assert from 'node:assert/strict';
globalThis.window = {
DEBUG_MODE: true,
DEVELOPMENT_MODE: true,
webpackHotUpdate: {},
location: {
hostname: 'localhost',
search: '?debug'
}
};
const { EnhancedSecureCryptoUtils } = await import('../src/crypto/EnhancedSecureCryptoUtils.js');
window.EnhancedSecureCryptoUtils = EnhancedSecureCryptoUtils;
const { EnhancedSecureWebRTCManager } = await import('../src/network/EnhancedSecureWebRTCManager.js');
function createManager() {
return {
delivered: [],
_debugMode: false,
_secureLog() {},
_sanitizeIncomingChatMessage: EnhancedSecureWebRTCManager.prototype._sanitizeIncomingChatMessage,
onMessage(message, type) {
this.delivered.push({ message, type });
}
};
}
// Normal text survives unchanged.
{
const manager = createManager();
EnhancedSecureWebRTCManager.prototype.deliverMessageToUI.call(manager, 'hello secure world', 'received');
assert.deepEqual(manager.delivered[0], { message: 'hello secure world', type: 'received' });
}
// XSS-like and HTML payloads are sanitized before UI delivery.
{
const manager = createManager();
EnhancedSecureWebRTCManager.prototype.deliverMessageToUI.call(manager, '<script>alert(1)</script>Hello <b>peer</b>', 'received');
assert.deepEqual(manager.delivered[0], { message: 'Hello peer', type: 'received' });
}
// Event-handler and protocol strings are removed before reaching React state.
{
const manager = createManager();
EnhancedSecureWebRTCManager.prototype.deliverMessageToUI.call(manager, '<img src=x onerror=alert(1)> javascript:alert(1)', 'received');
assert.deepEqual(manager.delivered[0], { message: 'alert(1)', type: 'received' });
}
// Outgoing/system messages are not altered by the incoming-message gate.
{
const manager = createManager();
EnhancedSecureWebRTCManager.prototype.deliverMessageToUI.call(manager, '<b>system</b>', 'system');
assert.deepEqual(manager.delivered[0], { message: '<b>system</b>', type: 'system' });
}
console.log('Incoming message sanitization tests passed');
Reference in New Issue View Git Blame Copy Permalink