Add near 100% unit test coverage for webclient websocket layer

webclient/src/websocket/utils/sanitizeHtml.util.spec.ts

@@ -0,0 +1,55 @@
+import { sanitizeHtml } from './sanitizeHtml.util';
+
+describe('sanitizeHtml', () => {
+  it('passes through plain text unchanged', () => {
+    expect(sanitizeHtml('hello world')).toBe('hello world');
+  });
+
+  it('allows <br> tag', () => {
+    expect(sanitizeHtml('line1<br>line2')).toBe('line1<br />line2');
+  });
+
+  it('allows <b> tag', () => {
+    expect(sanitizeHtml('<b>bold</b>')).toBe('<b>bold</b>');
+  });
+
+  it('allows <img> tag', () => {
+    expect(sanitizeHtml('<img>')).toBe('<img />');
+  });
+
+  it('allows <center> tag', () => {
+    expect(sanitizeHtml('<center>x</center>')).toBe('<center>x</center>');
+  });
+
+  it('allows <font> tag with color attribute', () => {
+    expect(sanitizeHtml('<font color="red">text</font>')).toBe('<font color="red">text</font>');
+  });
+
+  it('strips disallowed tag <script>', () => {
+    expect(sanitizeHtml('<script>alert(1)</script>')).toBe('');
+  });
+
+  it('strips disallowed tag <div>', () => {
+    expect(sanitizeHtml('<div>content</div>')).toBe('content');
+  });
+
+  it('strips disallowed attribute onclick from <b>', () => {
+    expect(sanitizeHtml('<b onclick="evil()">hi</b>')).toBe('<b>hi</b>');
+  });
+
+  it('adds target=_blank and rel=noopener noreferrer to <a> tags', () => {
+    const result = sanitizeHtml('<a href="https://example.com">link</a>');
+    expect(result).toContain('target="_blank"');
+    expect(result).toContain('rel="noopener noreferrer"');
+  });
+
+  it('allows href attribute on <a>', () => {
+    const result = sanitizeHtml('<a href="https://example.com">link</a>');
+    expect(result).toContain('href="https://example.com"');
+  });
+
+  it('strips disallowed schemes like javascript:', () => {
+    const result = sanitizeHtml('<a href="javascript:alert(1)">xss</a>');
+    expect(result).not.toContain('javascript:');
+  });
+});