diff --git a/apps/web/functions/components/metaTagInjector.test.ts b/apps/web/functions/components/metaTagInjector.test.ts
index 9fd7689e7e0..81977b27bd9 100644
--- a/apps/web/functions/components/metaTagInjector.test.ts
+++ b/apps/web/functions/components/metaTagInjector.test.ts
@@ -1,93 +1,94 @@
import { MetaTagInjector } from './metaTagInjector'
-test('should append meta tag to element', () => {
- const element = {
- append: jest.fn(),
- } as unknown as Element
- const property = 'property'
- const content = 'content'
- const injector = new MetaTagInjector(
- {
- title: 'test',
- url: 'testUrl',
- image: 'testImage',
- description: 'testDescription',
- },
- new Request('http://localhost'),
- )
- injector.appendProperty(element, property, content)
- expect(element.append).toHaveBeenCalledWith(``, {
- html: true,
- })
+describe('MetaTagInjector', () => {
+ let element: HTMLElement
+ let injector: MetaTagInjector
- injector.element(element)
- expect(element.append).toHaveBeenCalledWith(``, {
- html: true,
- })
- expect(element.append).toHaveBeenCalledWith(``, {
- html: true,
- })
- expect(element.append).toHaveBeenCalledWith(
- ``,
- {
- html: true,
- },
- )
- expect(element.append).toHaveBeenCalledWith(``, {
- html: true,
- })
- expect(element.append).toHaveBeenCalledWith(``, {
- html: true,
- })
- expect(element.append).toHaveBeenCalledWith(``, {
- html: true,
- })
- expect(element.append).toHaveBeenCalledWith(``, {
- html: true,
- })
- expect(element.append).toHaveBeenCalledWith(``, {
- html: true,
- })
- expect(element.append).toHaveBeenCalledWith(``, {
- html: true,
+ const metaData = {
+ title: 'test',
+ url: 'testUrl',
+ image: 'testImage',
+ description: 'testDescription',
+ }
+
+ beforeEach(() => {
+ element = {
+ append: jest.fn(),
+ } as unknown as HTMLElement
+
+ injector = new MetaTagInjector(metaData, new Request('http://localhost'))
})
- expect(element.append).toHaveBeenCalledWith(
- ``,
- {
- html: true,
- },
- )
- expect(element.append).toHaveBeenCalledWith(``, {
- html: true,
+ test('should append individual meta tag correctly', () => {
+ const property = 'property'
+ const content = 'content'
+
+ injector.appendProperty(element, property, content)
+
+ expect(element.append).toHaveBeenCalledWith(
+ ``,
+ { html: true }
+ )
})
- expect(element.append).toHaveBeenCalledWith(``, {
- html: true,
+
+ test('should append all required meta tags to the element', () => {
+ injector.element(element)
+
+ const expectedTags = [
+ ``,
+ ``,
+ ``,
+ ``,
+ ``,
+ ``,
+ ``,
+ ``,
+ ``,
+ ``,
+ ``,
+ ``,
+ ``,
+ ]
+
+ expectedTags.forEach((tag) => {
+ expect(element.append).toHaveBeenCalledWith(tag, { html: true })
+ })
+
+ expect(element.append).toHaveBeenCalledTimes(expectedTags.length)
})
- expect(element.append).toHaveBeenCalledWith(``, {
- html: true,
+
+ test('should append x-blocked-paths meta if present in headers', () => {
+ const blockedRequest = new Request('http://localhost')
+ blockedRequest.headers.set('x-blocked-paths', '/')
+ const blockedInjector = new MetaTagInjector(metaData, blockedRequest)
+
+ blockedInjector.element(element)
+
+ expect(element.append).toHaveBeenCalledWith(
+ ``,
+ { html: true }
+ )
})
- expect(element.append).toHaveBeenCalledTimes(14)
-})
+ test('should prevent potential XSS via meta content', () => {
+ const unsafeMetaData = {
+ title: ``,
+ url: 'https://safe.com',
+ image: 'img.jpg',
+ description: 'test',
+ }
+
+ const xssInjector = new MetaTagInjector(unsafeMetaData, new Request('http://localhost'))
+ const xssElement = {
+ append: jest.fn(),
+ } as unknown as HTMLElement
+
+ xssInjector.element(xssElement)
+
+ // Assert it does not include unescaped script tag
+ const calls = (xssElement.append as jest.Mock).mock.calls
+ const scriptInjectionDetected = calls.some(([tag]) => tag.includes('