feat(login): pagina pubblica /login con next sicuro
This commit is contained in:
@@ -0,0 +1,18 @@
|
||||
import { describe, it, expect } from 'vitest';
|
||||
import { safeNext } from '../src/lib/safe-next';
|
||||
|
||||
describe('safeNext', () => {
|
||||
it('accetta path interni', () => {
|
||||
expect(safeNext('/about')).toBe('/about');
|
||||
expect(safeNext('/blog/x?y=1')).toBe('/blog/x?y=1');
|
||||
});
|
||||
it('rifiuta esterni, protocol-relative, api e vuoti', () => {
|
||||
expect(safeNext(null)).toBe('/');
|
||||
expect(safeNext('')).toBe('/');
|
||||
expect(safeNext('//evil.com')).toBe('/');
|
||||
expect(safeNext('https://evil.com')).toBe('/');
|
||||
expect(safeNext('/api/admin/posts')).toBe('/');
|
||||
expect(safeNext('javascript:alert(1)')).toBe('/');
|
||||
expect(safeNext('not-a-path')).toBe('/');
|
||||
});
|
||||
});
|
||||
Reference in New Issue
Block a user