/* Copyright 2026 Marimo. All rights reserved. */ import { render } from "@testing-library/react"; import { beforeEach, describe, expect, test, vi } from "vitest"; import { renderHTML } from "../RenderHTML"; // Mock only the useSanitizeHtml hook, use real sanitizeHtml vi.mock("../sanitize", async (importOriginal) => { const actual = await importOriginal(); return { ...actual, useSanitizeHtml: vi.fn(() => false), // Default to not sanitizing based on state }; }); describe("renderHTML with alwaysSanitizeHtml", () => { beforeEach(() => { vi.clearAllMocks(); }); test("alwaysSanitizeHtml=true forces sanitization even when useSanitizeHtml=false", () => { const html = "

Test

"; const result = renderHTML({ html, alwaysSanitizeHtml: true }); const { container } = render(result); expect(container.innerHTML).toMatchInlineSnapshot(`"

Test

"`); }); test("alwaysSanitizeHtml=false respects useSanitizeHtml=false (no sanitization)", () => { const html = "

Test

"; const result = renderHTML({ html, alwaysSanitizeHtml: false }); const { container } = render(result); expect(container.innerHTML).toMatchInlineSnapshot( `"

Test

"`, ); }); test("alwaysSanitizeHtml=false respects useSanitizeHtml=true (sanitize)", async () => { // Import to get access to the mock const sanitizeModule = await import("../sanitize"); vi.mocked(sanitizeModule.useSanitizeHtml).mockReturnValue(true); const html = "

Test

"; const result = renderHTML({ html, alwaysSanitizeHtml: false }); const { container } = render(result); expect(container.innerHTML).toMatchInlineSnapshot(`"

Test

"`); }); test("default alwaysSanitizeHtml=true sanitizes by default", () => { const html = "

Test

"; // Don't pass alwaysSanitizeHtml (should default to true) const result = renderHTML({ html }); const { container } = render(result); // Script should be removed by default sanitization expect(container.innerHTML).toMatchInlineSnapshot(`"

Test

"`); }); test("renders sanitized content correctly", () => { const html = "

Safe content

"; const result = renderHTML({ html, alwaysSanitizeHtml: true }); const { container } = render(result); expect(container.innerHTML).toMatchInlineSnapshot(`"

Safe content

"`); }); test("renders unsanitized content when allowed", () => { const html = '

Safe content

'; const result = renderHTML({ html, alwaysSanitizeHtml: false }); const { container } = render(result); expect(container.innerHTML).toMatchInlineSnapshot( `"

Safe content

"`, ); }); test("sanitization happens before parsing", () => { const html = '

Content

Div

'; const result = renderHTML({ html, alwaysSanitizeHtml: true }); const { container } = render(result); expect(container.innerHTML).toMatchInlineSnapshot( `"

Content

Div

"`, ); }); }); describe("renderHTML sanitization integration", () => { test("text/markdown content should be sanitized", () => { const markdownHtml = '

Content

'; const result = renderHTML({ html: markdownHtml, alwaysSanitizeHtml: true }); const { container } = render(result); expect(container.innerHTML).toMatchInlineSnapshot( `"

Content

"`, ); }); test("data attributes preserved with sanitization", () => { const richHtml = '

Content

'; const result = renderHTML({ html: richHtml, alwaysSanitizeHtml: true, }); const { container } = render(result); expect(container.innerHTML).toMatchInlineSnapshot( `"

Content

"`, ); }); test("data attributes preserved without sanitization", () => { const richHtml = '

Content

'; const result = renderHTML({ html: richHtml, alwaysSanitizeHtml: false, }); const { container } = render(result); expect(container.innerHTML).toMatchInlineSnapshot( `"

Content

"`, ); }); test("dangerous content is sanitized when alwaysSanitizeHtml=true", () => { const dangerousHtml = '

Content

'; const result = renderHTML({ html: dangerousHtml, alwaysSanitizeHtml: true, }); const { container } = render(result); expect(container.innerHTML).toMatchInlineSnapshot( `"

Content

"`, ); }); });