from tests.conftest import BASE_URL
from tests.test_post import create_post

POST_PAYLOAD = "XSSPROBE <img src=x onerror=alert('p')><script>alert('s')</script> end of post"
COMMENT_PAYLOAD = "CMTPROBE <img src=x onerror=alert('c')><script>alert('s')</script> end of comment"


def test_post_content_is_sanitized(alice):
    page, _ = alice
    fired = []
    page.on("dialog", lambda d: (fired.append(d.message), d.dismiss()))
    create_post(page, "random", POST_PAYLOAD)
    content = page.locator(".post-detail-content")
    content.wait_for(state="visible")
    page.locator(".post-detail-content p").first.wait_for(state="visible")
    html = content.inner_html().lower()
    assert "<script" not in html
    assert "<img" not in html
    assert not fired, f"XSS payload executed: {fired}"


def test_comment_content_is_sanitized(alice):
    page, _ = alice
    fired = []
    page.on("dialog", lambda d: (fired.append(d.message), d.dismiss()))
    create_post(page, "random", "Clean host post for comment sanitization")
    page.locator(".comment-form textarea[name='content']").fill(COMMENT_PAYLOAD)
    page.locator(".comment-form button:has-text('Post')").click()
    comment = page.locator(".comment-text:has-text('CMTPROBE')")
    comment.wait_for(state="visible")
    page.locator(".comment-text p").first.wait_for(state="visible")
    html = comment.inner_html().lower()
    assert "<script" not in html
    assert "<img" not in html
    assert not fired, f"XSS payload executed: {fired}"