# flake8: noqa
# pylint: disable=missing-function-docstring, redefined-outer-name, line-too-long
"""Unit tests for the single project-wide bleach config (sanitizer.py, issue #28 / §3).
Covers the stage-1 registry items that this module owns:
§3.1 s / del (strikethrough) survive.
§3.2 fail-closed: on a bleach error the fragment is html.escape()d, never returned raw.
§3.16 the single error-log name `html_sanitization_error` + log_context.
Plus the two non-default bleach params the maintainer flagged as load-bearing:
strip=True (disallowed tags are REMOVED, not escaped into visible text) and
protocols including 'tg' (tg:// links survive).
And the one-config invariant: only one ALLOWED_TAGS list exists in the repo.
"""
import logging
import pytest
import sanitizer
from sanitizer import sanitize_html, ALLOWED_TAGS, ALLOWED_PROTOCOLS
# --------------------------------------------------------------------------- #
# §3.1 — strikethrough survives (the drift the single config fixes).
# --------------------------------------------------------------------------- #
def test_strikethrough_s_survives():
assert sanitize_html("gone") == "gone"
def test_strikethrough_del_survives():
assert sanitize_html("removed") == "removed"
def test_s_and_del_in_allowed_tags():
assert "s" in ALLOWED_TAGS
assert "del" in ALLOWED_TAGS
# --------------------------------------------------------------------------- #
# strip=True — disallowed tags are REMOVED (bleach's default False would escape
# them into visible text). Both the tag and its dangerous attrs must vanish.
# --------------------------------------------------------------------------- #
def test_script_is_stripped_not_escaped():
out = sanitize_html("hi")
assert out == "hialert(1)"
# strip=True removed the tag entirely — it was NOT escaped into visible <script>.
assert "<script>" not in out
assert "'
with caplog.at_level(logging.ERROR):
out = sanitize_html(payload, log_context="channel test, message_id 7")
# Fail-closed: the raw payload was html.escape()d, NOT returned raw.
assert out == "<script>alert(1)</script>"
assert "