fix #155: XSS in Jinja2 rendering

httprunner/__about__.py

@@ -1,7 +1,7 @@
 __title__ = 'HttpRunner'
 __description__ = 'One-stop solution for HTTP(S) testing.'
 __url__ = 'https://github.com/HttpRunner/HttpRunner'
-__version__ = '1.3.8.beta'
+__version__ = '1.3.8.beta.2'
 __author__ = 'debugtalk'
 __author_email__ = 'mail@debugtalk.com'
 __license__ = 'MIT'

httprunner/report.py

@@ -11,7 +11,7 @@ from datetime import datetime
 from httprunner import logger
 from httprunner.__about__ import __version__
 from httprunner.compat import basestring, bytes, json, numeric_types
-from jinja2 import Template
+from jinja2 import Template, escape
 from requests.structures import CaseInsensitiveDict
 
 
@@ -67,7 +67,7 @@ def make_json_serializable(raw_json):
             # class instance, e.g. MultipartEncoder()
             value = repr(value)
 
-        serializable_json[key] = value
+        serializable_json[key] = escape(value)
 
     keyorder = ["url", "method", "request_headers", "request_body", "request_time",
         "status_code", "response_headers", "response_body",