import { describe, expect, it } from "vitest"; import { renderMarkdown } from "../../src/lib/markdown"; describe("renderMarkdown", () => { it("renders standard markdown", () => { const html = renderMarkdown("# Title\n\n**bold** and *italic*"); expect(html).toContain("

Title

"); expect(html).toContain("bold"); expect(html).toContain("italic"); }); it("strips a "); expect(html).not.toContain(" { const html = renderMarkdown('
hi
'); expect(html).not.toContain(" { const html = renderMarkdown("![alt text](https://evil.example/tracker.png)"); expect(html).not.toContain(" { const html = renderMarkdown("[ok](https://example.com)"); expect(html).toContain('href="https://example.com"'); expect(html).toContain('rel="noopener noreferrer"'); expect(html).toContain('target="_blank"'); }); it("renders inline markdown inside link text", () => { const html = renderMarkdown("[**bold** link](https://example.com)"); expect(html).toContain('href="https://example.com"'); expect(html).toContain("bold"); expect(html).not.toContain("**bold**"); }); it("drops a javascript: link, keeping only its text", () => { const html = renderMarkdown("[click](javascript:alert(1))"); expect(html).not.toContain("javascript:"); expect(html).not.toContain(" { const html = renderMarkdown("[x](data:text/html,)"); expect(html).not.toContain("data:"); expect(html).not.toContain(" { const html = renderMarkdown('

x

'); expect(html).not.toContain("style="); }); });