/**
 * TEST-010: Sanitization validation tests for DiffPreview
 *
 * Verifies that dangerouslySetInnerHTML usage in DiffPreview always routes
 * through sanitizeHtml, preventing XSS from AI-generated or user content.
 */
import { render, screen } from '@testing-library/react';
import { describe, it, expect, vi } from 'vitest';

// Use the REAL sanitizeHtml (not mocked) to verify XSS protection end-to-end
vi.mock('@/Components/ui/badge', () => ({
  Badge: ({ children, className }: { children: React.ReactNode; className?: string }) => (
    <span className={className}>{children}</span>
  ),
}));

vi.mock('@/Components/ui/button', () => ({
  Button: ({
    children,
    onClick,
  }: {
    children: React.ReactNode;
    onClick?: () => void;
  }) => <button onClick={onClick}>{children}</button>,
}));

vi.mock('@/lib/utils', () => ({
  cn: (...args: unknown[]) => args.filter(Boolean).join(' '),
}));

import DiffPreview from './DiffPreview';

describe('DiffPreview — sanitization', () => {
  it('renders safe HTML content correctly', () => {
    const { container } = render(
      <DiffPreview
        originalContent="<p>Original <strong>content</strong></p>"
        newContent="<p>New <em>content</em></p>"
      />,
    );

    // Safe tags should be preserved in the rendered container
    expect(container.querySelector('strong')).toBeTruthy();
  });

  it('strips script tags from original content before rendering', () => {
    render(
      <DiffPreview
        originalContent='<p>Text</p><script>window.__xss_original=true</script>'
        newContent="<p>Safe content</p>"
      />,
    );

    // Script should have been stripped — XSS should not execute
    expect((window as unknown as Record<string, unknown>).__xss_original).toBeUndefined();

    // The element rendered via dangerouslySetInnerHTML should not contain a script tag
    const container = document.body;
    expect(container.querySelector('script')).toBeNull();
  });

  it('strips script tags from new content before rendering', () => {
    render(
      <DiffPreview
        originalContent="<p>Safe content</p>"
        newContent='<p>Text</p><script>window.__xss_new=true</script>'
      />,
    );

    expect((window as unknown as Record<string, unknown>).__xss_new).toBeUndefined();
    expect(document.body.querySelector('script')).toBeNull();
  });

  it('strips event handlers from content', () => {
    render(
      <DiffPreview
        originalContent='<p onclick="window.__onclick=true">Click</p>'
        newContent='<div onmouseover="window.__onmouseover=true">Hover</div>'
      />,
    );

    expect((window as unknown as Record<string, unknown>).__onclick).toBeUndefined();
    // The rendered paragraphs should not have onclick attributes
    const paras = document.querySelectorAll('[onclick]');
    expect(paras.length).toBe(0);
  });

  it('strips iframe tags from content', () => {
    render(
      <DiffPreview
        originalContent='<p>Text</p><iframe src="http://evil.com"></iframe>'
        newContent="<p>Safe</p>"
      />,
    );

    expect(document.body.querySelector('iframe')).toBeNull();
  });

  it('renders text content even when tags are stripped', () => {
    render(
      <DiffPreview
        originalContent='<script>alert(1)</script>Important text'
        newContent="<p>New content</p>"
      />,
    );

    // Text content should be present even though tags were stripped
    expect(document.body.textContent).toContain('Important text');
  });

  it('shows empty state message when original content is blank', () => {
    render(<DiffPreview originalContent="" newContent="<p>New content</p>" />);

    // Component should render without crashing for empty content
    // New content should still be visible
    expect(screen.getByText('New content')).toBeTruthy();
  });
});