diff --git a/httprunner/templates/report_template.html b/httprunner/templates/report_template.html
index 36b11bfd..633b97c5 100644
--- a/httprunner/templates/report_template.html
+++ b/httprunner/templates/report_template.html
@@ -266,8 +266,8 @@
{% else %}
{{ value }}
{% endif %}
- {% elif key == "text" %}
- {{ req_resp.response.text | e }}
+ {% elif key in ["text", "json"] %}
+ {{ value | e }}
{% else %}
{{ value }}
{% endif %}
diff --git a/tests/test_api.py b/tests/test_api.py
index 9affc00a..da78f9b5 100644
--- a/tests/test_api.py
+++ b/tests/test_api.py
@@ -185,10 +185,6 @@ class TestHttpRunner(ApiServerUnittest):
{
"config": {
'name': "post data",
- 'request': {
- 'base_url': '',
- 'headers': {'User-Agent': 'python-requests/2.18.4'}
- },
'variables': []
},
"teststeps": [
@@ -198,6 +194,7 @@ class TestHttpRunner(ApiServerUnittest):
"url": "{}/post".format(HTTPBIN_SERVER),
"method": "POST",
"headers": {
+ "User-Agent": "python-requests/2.18.4",
"Content-Type": "application/json"
},
"data": "abc"
@@ -508,6 +505,43 @@ class TestHttpRunner(ApiServerUnittest):
# self.runner.run(testcase_file_path)
# self.assertTrue(self.runner.summary["success"])
+ def test_html_report_xss(self):
+ testcases = [
+ {
+ "config": {
+ 'name': "post data"
+ },
+ "teststeps": [
+ {
+ "name": "post data",
+ "request": {
+ "url": "{}/anything".format(HTTPBIN_SERVER),
+ "method": "POST",
+ "headers": {
+ "Content-Type": "application/json"
+ },
+ "json": {
+ 'success': False,
+ "person": "
"
+ }
+ },
+ "validate": [
+ {"eq": ["status_code", 200]}
+ ]
+ }
+ ]
+ }
+ ]
+ tests_mapping = {
+ "testcases": testcases
+ }
+ report_path = self.runner.run(tests_mapping)
+ with open(report_path) as f:
+ self.assertIn(
+ ""<img src=x onerror=alert(1)>"}'",
+ f.read()
+ )
+
class TestApi(ApiServerUnittest):