Hi";
expect(PdfHtmlSanitizer::sanitize($html))->not->toContain('toContain('')->toContain('');
});
it('strips style and link attributes that may carry URLs', function () {
$html = '
x
y';
$out = PdfHtmlSanitizer::sanitize($html);
expect($out)->not->toContain('style=')->not->toContain('href=')->not->toContain('example.com');
});
it('returns empty string for empty input', function () {
expect(PdfHtmlSanitizer::sanitize(''))->toBe('');
});
it('normalizes legacy closing-br markup so lines are not collapsed in PDF output', function () {
$html = 'line1line2';
$out = PdfHtmlSanitizer::sanitize($html);
expect($out)->toContain('toContain('line1')->toContain('line2');
expect($out)->not->toBe('line1line2');
});
it('strips SSRF vectors injected via address-template placeholders', function () {
// Simulates the output of GeneratesPdfTrait::getFormattedString() after a
// malicious customer name like "Acme " has
// been substituted into an address template via {BILLING_ADDRESS_NAME}.
$html = "Acme 123 Main St Springfield";
$out = PdfHtmlSanitizer::sanitize($html);
expect($out)->not->toContain('not->toContain('src=');
expect($out)->not->toContain('attacker.test');
expect($out)->toContain('Acme');
expect($out)->toContain('123 Main St');
expect($out)->toContain('Springfield');
});
it('strips iframe and link tags that could trigger SSRF', function () {
$html = 'Hello';
$out = PdfHtmlSanitizer::sanitize($html);
expect($out)->not->toContain('not->toContain('not->toContain('attacker');
expect($out)->toContain('Hello');
});
it('strips on* event handler attributes from allowed tags', function () {
$html = '