package activity

import "testing"

func TestSanitizeHTML_RemovesScript(t *testing.T) {
    in := `<div>ok</div><script>alert(1)</script>`
    out := sanitizeHTML(in)
    if out == in || contains(out, "<script") {
        t.Fatalf("script tag not removed: %s", out)
    }
}

func TestSanitizeHTML_RemovesOnEvent(t *testing.T) {
    in := `<a onclick="do()">link</a>`
    out := sanitizeHTML(in)
    if contains(out, "onclick=") {
        t.Fatalf("onclick attribute not removed: %s", out)
    }
}

func TestSanitizeHTML_RemovesJavascriptProtocol(t *testing.T) {
    in := `<a href="javascript:alert('x')">x</a>`
    out := sanitizeHTML(in)
    if contains(out, "javascript:") {
        t.Fatalf("javascript protocol not removed: %s", out)
    }
}

func contains(s, sub string) bool {
    return len(s) >= len(sub) && (func() bool { return stringContains(s, sub) })()
}

func stringContains(s, sub string) bool {
    return len(sub) == 0 || (len(s) >= len(sub) && indexOf(s, sub) >= 0)
}

func indexOf(s, sub string) int {
    for i := 0; i+len(sub) <= len(s); i++ {
        if s[i:i+len(sub)] == sub {
            return i
        }
    }
    return -1
}