GithubBackup/httprunner
1
0
Fork 0
mirror of https://github.com/httprunner/httprunner.git synced 2026-05-13 07:39:44 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix: xss in response json

Browse Source
This commit is contained in:
debugtalk
2019-03-04 19:34:49 +08:00
parent eaadcaabbb
commit ac70488ee2
2 changed files with 40 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
httprunner/templates/report_template.html
View File

@@ -266,8 +266,8 @@
{% else %}
{{ value }}
{% endif %}
{% elif key == "text" %}
<pre>{{ req_resp.response.text | e }}</pre>
{% elif key in ["text", "json"] %}
<pre>{{ value | e }}</pre>
{% else %}
{{ value }}
{% endif %}

42
tests/test_api.py
View File

@@ -185,10 +185,6 @@ class TestHttpRunner(ApiServerUnittest):
{
"config": {
'name': "post data",
'request': {
'base_url': '',
'headers': {'User-Agent': 'python-requests/2.18.4'}
},
'variables': []
},
"teststeps": [
@@ -198,6 +194,7 @@ class TestHttpRunner(ApiServerUnittest):
"url": "{}/post".format(HTTPBIN_SERVER),
"method": "POST",
"headers": {
"User-Agent": "python-requests/2.18.4",
"Content-Type": "application/json"
},
"data": "abc"
@@ -508,6 +505,43 @@ class TestHttpRunner(ApiServerUnittest):
# self.runner.run(testcase_file_path)
# self.assertTrue(self.runner.summary["success"])
def test_html_report_xss(self):
testcases = [
{
"config": {
'name': "post data"
},
"teststeps": [
{
"name": "post data",
"request": {
"url": "{}/anything".format(HTTPBIN_SERVER),
"method": "POST",
"headers": {
"Content-Type": "application/json"
},
"json": {
'success': False,
"person": "<img src=x onerror=alert(1)>"
}
},
"validate": [
{"eq": ["status_code", 200]}
]
}
]
}
]
tests_mapping = {
"testcases": testcases
}
report_path = self.runner.run(tests_mapping)
with open(report_path) as f:
self.assertIn(
"&#34;&lt;img src=x onerror=alert(1)&gt;&#34;}&#39;",
f.read()
)
class TestApi(ApiServerUnittest):