From f116f7dd6a826f56920408d3ede14fe4da38aed3 Mon Sep 17 00:00:00 2001
From: Julien Voisin <jvoisin@users.noreply.github.com>
Date: Sun, 12 Jan 2025 01:19:31 +0000
Subject: [PATCH] test(sanitizer): add a fuzzer

---
 internal/reader/sanitizer/sanitizer_test.go | 25 +++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/internal/reader/sanitizer/sanitizer_test.go b/internal/reader/sanitizer/sanitizer_test.go
index a0eb46e970d..07044bf1626 100644
--- a/internal/reader/sanitizer/sanitizer_test.go
+++ b/internal/reader/sanitizer/sanitizer_test.go
@@ -5,8 +5,11 @@ package sanitizer // import "miniflux.app/v2/internal/reader/sanitizer"
 
 import (
 	"os"
+	"strings"
 	"testing"
 
+	"golang.org/x/net/html"
+
 	"miniflux.app/v2/internal/config"
 )
 
@@ -35,6 +38,28 @@ func BenchmarkSanitize(b *testing.B) {
 	}
 }
 
+func FuzzSanitizer(f *testing.F) {
+	f.Fuzz(func(t *testing.T, orig string) {
+		tok := html.NewTokenizer(strings.NewReader(orig))
+		i := 0
+		for tok.Next() != html.ErrorToken {
+			i++
+		}
+
+		out := Sanitize("", orig)
+
+		tok = html.NewTokenizer(strings.NewReader(out))
+		j := 0
+		for tok.Next() != html.ErrorToken {
+			j++
+		}
+
+		if j > i {
+			t.Errorf("Got more html tokens in the sanitized html.")
+		}
+	})
+}
+
 func TestValidInput(t *testing.T) {
 	input := `<p>This is a <strong>text</strong> with an image: <img src="http://example.org/" alt="Test" loading="lazy">.</p>`
 	output := Sanitize("http://example.org/", input)