test: add escapeHtml utility tests

src/__tests__/html.test.ts

@@ -0,0 +1,49 @@
+import { describe, it, expect } from 'vitest';
+import { escapeHtml } from '../utils/html';
+
+describe('escapeHtml', () => {
+  it('escapes ampersands', () => {
+    expect(escapeHtml('foo & bar')).toBe('foo & bar');
+  });
+
+  it('escapes less-than', () => {
+    expect(escapeHtml('a < b')).toBe('a &lt; b');
+  });
+
+  it('escapes greater-than', () => {
+    expect(escapeHtml('a > b')).toBe('a &gt; b');
+  });
+
+  it('escapes double quotes', () => {
+    expect(escapeHtml('say "hello"')).toBe('say &quot;hello&quot;');
+  });
+
+  it('escapes single quotes', () => {
+    expect(escapeHtml("it's")).toBe('it&#39;s');
+  });
+
+  it('returns empty string unchanged', () => {
+    expect(escapeHtml('')).toBe('');
+  });
+
+  it('passes through strings with no special chars', () => {
+    expect(escapeHtml('hello world 123')).toBe('hello world 123');
+  });
+
+  it('escapes multiple special chars combined', () => {
+    expect(escapeHtml('<div class="x">&</div>')).toBe('&lt;div class=&quot;x&quot;&gt;&amp;&lt;/div&gt;');
+  });
+
+  it('escapes XSS payload', () => {
+    expect(escapeHtml('<script>alert("xss")</script>')).toBe('&lt;script&gt;alert(&quot;xss&quot;)&lt;/script&gt;');
+  });
+
+  it('double-escapes existing entities', () => {
+    expect(escapeHtml('&amp;')).toBe('&amp;amp;');
+    expect(escapeHtml('&lt;')).toBe('&amp;lt;');
+  });
+
+  it('escapes single quotes in attributes', () => {
+    expect(escapeHtml("data-x='val'")).toBe('data-x=&#39;val&#39;');
+  });
+});