create([ 'name' => 'Test User', 'email' => 'test@example.com', ]); // Authenticate as the user $this->actingAs($user); // Create MainSearchBar component instance $component = new MainSearchBar(); // Use reflection to access the private sanitizeHighlights method $reflection = new \ReflectionClass($component); $method = $reflection->getMethod('sanitizeHighlights'); $method->setAccessible(true); // Test 1: Simple script tag injection $maliciousHighlights = [ 'about_short_en' => [ 'I am a developer looking for work' ] ]; $sanitized = $method->invoke($component, $maliciousHighlights); $this->assertStringNotContainsString('' ] ]; $sanitized = $method->invoke($component, $mixedHighlights); // Elasticsearch tags preserved $this->assertStringContainsString('coding', $sanitized['about_short_en'][0]); // User XSS attempt escaped $this->assertStringNotContainsString('', $sanitized['about_short_en'][0]); $this->assertStringContainsString('<script>', $sanitized['about_short_en'][0]); } /** * Test that empty highlights array is handled correctly. * * @return void */ public function test_search_highlights_handle_empty_array() { $user = User::factory()->create(); $this->actingAs($user); $component = new MainSearchBar(); $reflection = new \ReflectionClass($component); $method = $reflection->getMethod('sanitizeHighlights'); $method->setAccessible(true); $emptyHighlights = []; $sanitized = $method->invoke($component, $emptyHighlights); $this->assertEmpty($sanitized); } /** * Test that event handler attributes are escaped. * * @return void */ public function test_search_highlights_escape_event_handlers() { $user = User::factory()->create(); $this->actingAs($user); $component = new MainSearchBar(); $reflection = new \ReflectionClass($component); $method = $reflection->getMethod('sanitizeHighlights'); $method->setAccessible(true); $maliciousHighlights = [ 'about_en' => [ 'Click here for more info' ] ]; $sanitized = $method->invoke($component, $maliciousHighlights); // The anchor tag and attributes should be escaped $this->assertStringNotContainsString('assertStringContainsString('<a href="#"', $sanitized['about_en'][0]); // Verify the dangerous onclick is escaped (quotes are converted to ") $this->assertStringContainsString('onclick="', $sanitized['about_en'][0]); } /** * Test that data URIs with JavaScript are escaped. * * @return void */ public function test_search_highlights_escape_data_uris() { $user = User::factory()->create(); $this->actingAs($user); $component = new MainSearchBar(); $reflection = new \ReflectionClass($component); $method = $reflection->getMethod('sanitizeHighlights'); $method->setAccessible(true); $maliciousHighlights = [ 'about_en' => [ 'Visit link' ] ]; $sanitized = $method->invoke($component, $maliciousHighlights); // The anchor tag should be escaped, making the data URI harmless $this->assertStringNotContainsString('