package handlers

import (
	"regexp"
	"strings"
)

// ansiEscapePattern matches ANSI escape sequences (CSI, OSC, and single-character escapes).
var ansiEscapePattern = regexp.MustCompile(`(\x1b\[[0-9;]*[a-zA-Z]|\x1b\][^\x07]*\x07|\x1b[^[\]])`)

// SanitizeLogs strips ANSI escape sequences and non-printable control characters
// from container log output. Newlines (\n), carriage returns (\r), and tabs (\t)
// are preserved. This ensures that attacker-controlled container output cannot
// inject terminal escape sequences or other dangerous control characters.
func SanitizeLogs(input string) string {
	// Strip ANSI escape sequences
	result := ansiEscapePattern.ReplaceAllString(input, "")

	// Strip remaining non-printable characters (keep \n, \r, \t)
	var b strings.Builder
	b.Grow(len(result))

	for _, r := range result {
		if r == '\n' || r == '\r' || r == '\t' || r >= ' ' {
			b.WriteRune(r)
		}
	}

	return b.String()
}