till/hd-commerce
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Härtung (Code-Review): persistiertes Session-Secret statt Default-Fallback; timing-safe API-Token-Vergleich; Secure-Cookie auf HTTPS; HTML-Sanitizer für richtext/html-Blöcke + Seiten-Body (Stored-XSS); 14 Unit-Tests (Rabatt/MwSt/Versand/Sanitizer) + npm test

Browse Source
This commit is contained in:
Heidrich Digital
2026-06-18 07:00:31 +00:00
parent 67b2fb78b7
commit fc2ad9e678
8 changed files with 81 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files
test/unit.mjs
+33
View File
@@ -0,0 +1,33 @@
// hd-commerce — Unit-Tests für Shop-Mathematik + Sanitizer. Lauf: npm test
import assert from 'node:assert';
import { mkdtempSync } from 'node:fs';
import { tmpdir } from 'node:os';
import { join } from 'node:path';
process.env.DB_PATH = join(mkdtempSync(join(tmpdir(), 'hdc-test-')), 't.db');
const store = await import('../src/lib/store-sqlite.js');
const { sanitizeHtml } = await import('../src/lib/sanitize.js');
let pass = 0, fail = 0;
const t = (name, fn) => { try { fn(); pass++; console.log(' ✓', name); } catch (e) { fail++; console.error(' ✗', name, '—', e.message); } };
t('taxFromGross 19% aus 119,00 € = 19,00 €', () => assert.strictEqual(store.taxFromGross(11900, 19), 1900));
t('taxFromGross 7% aus 107,00 € = 7,00 €', () => assert.strictEqual(store.taxFromGross(10700, 7), 700));
t('taxFromGross 0% = 0', () => assert.strictEqual(store.taxFromGross(5000, 0), 0));
t('Versand DE gratis ab 49 € (50 € → 0)', () => assert.strictEqual(store.shippingFor('DE', 5000).price_cents, 0));
t('Versand DE unter Schwelle (10 € → 4,90 €)', () => assert.strictEqual(store.shippingFor('DE', 1000).price_cents, 490));
t('Versand CH = 9,90 €', () => assert.strictEqual(store.shippingFor('CH', 5000).price_cents, 990));
t('Gutschein WILLKOMMEN10 = 10% (50 € → 5 €)', () => { const v = store.validateDiscount('WILLKOMMEN10', 5000); assert.ok(v.ok); assert.strictEqual(v.amountCents, 500); });
t('Gutschein NAEHEN5 = 5% (50 € → 2,50 €)', () => { const v = store.validateDiscount('NAEHEN5', 5000); assert.ok(v.ok); assert.strictEqual(v.amountCents, 250); });
t('Gutschein case-insensitiv (willkommen10)', () => assert.ok(store.validateDiscount('willkommen10', 5000).ok));
t('Gutschein unbekannt → ungültig', () => assert.ok(!store.validateDiscount('GIBTSNICHT', 5000).ok));
t('Sanitizer entfernt <script>', () => assert.ok(!/<script/i.test(sanitizeHtml('<p>x</p><script>alert(1)</script>'))));
t('Sanitizer entfernt onerror=', () => assert.ok(!/onerror/i.test(sanitizeHtml('<img src=x onerror=alert(1)>'))));
t('Sanitizer neutralisiert javascript:', () => assert.ok(!/javascript:/i.test(sanitizeHtml('<a href="javascript:alert(1)">x</a>'))));
t('Sanitizer lässt normales Markup', () => assert.ok(/<strong>/.test(sanitizeHtml('<strong>fett</strong>'))));
console.log(`\n${pass} passed, ${fail} failed`);
process.exit(fail ? 1 : 0);