import { describe, it, expect } from 'vitest';

import { sanitizeHtml } from './sanitize';

describe('sanitizeHtml', () => {
  it('allows safe formatting tags', () => {
    const html = '<p>Hello <strong>world</strong></p>';
    const sanitized = sanitizeHtml(html);
    expect(sanitized).toContain('<p>');
    expect(sanitized).toContain('<strong>');
    expect(sanitized).toContain('</strong>');
  });

  it('strips script tags', () => {
    const html = '<p>Hello</p><script>alert("xss")</script>';
    const sanitized = sanitizeHtml(html);
    expect(sanitized).not.toContain('script');
    expect(sanitized).not.toContain('alert');
  });

  it('strips onerror handlers from img tags', () => {
    const html = '<img src=x onerror="alert(1)">';
    const sanitized = sanitizeHtml(html);
    expect(sanitized).toContain('img');
    expect(sanitized).not.toContain('onerror');
    expect(sanitized).not.toContain('alert');
  });

  it('preserves safe links', () => {
    const html = '<a href="https://example.com">Link</a>';
    const sanitized = sanitizeHtml(html);
    expect(sanitized).toContain('<a');
    expect(sanitized).toContain('href=');
    expect(sanitized).toContain('example.com');
  });

  it('strips dangerous event handlers', () => {
    const html = '<p onclick="alert(1)">Click me</p>';
    const sanitized = sanitizeHtml(html);
    expect(sanitized).not.toContain('onclick');
    expect(sanitized).not.toContain('alert');
  });

  it('strips iframe tags', () => {
    const html = '<iframe src="http://evil.com"></iframe>';
    const sanitized = sanitizeHtml(html);
    expect(sanitized).not.toContain('iframe');
  });

  it('allows headings', () => {
    const html = '<h1>Title</h1><h2>Subtitle</h2>';
    const sanitized = sanitizeHtml(html);
    expect(sanitized).toContain('h1');
    expect(sanitized).toContain('h2');
  });

  it('allows lists', () => {
    const html = '<ul><li>Item 1</li><li>Item 2</li></ul>';
    const sanitized = sanitizeHtml(html);
    expect(sanitized).toContain('ul');
    expect(sanitized).toContain('li');
  });

  it('strips style attributes', () => {
    const html = '<p style="color: red; background: url(javascript:alert(1))">Text</p>';
    const sanitized = sanitizeHtml(html);
    expect(sanitized).not.toContain('style');
    expect(sanitized).not.toContain('javascript');
  });

  it('strips data attributes', () => {
    const html = '<p data-event="alert(1)">Text</p>';
    const sanitized = sanitizeHtml(html);
    expect(sanitized).not.toContain('data-event');
  });

  it('adds rel="noopener noreferrer" to target="_blank" links', () => {
    const html = '<a href="https://example.com" target="_blank">External</a>';
    const sanitized = sanitizeHtml(html);
    expect(sanitized).toContain('rel="noopener noreferrer"');
  });

  it('does not add rel to links without target="_blank"', () => {
    const html = '<a href="https://example.com">Internal</a>';
    const sanitized = sanitizeHtml(html);
    expect(sanitized).not.toContain('noopener');
  });
});