Merge pull request #532 from HttpRunner/bugfix

fix xss in response json
2026-05-12 02:21:29 +08:00 · 2019-03-04 20:37:44 +08:00
parent eaadcaabbb 6c76f2d8b4
commit dcbf11603c
4 changed files with 54 additions and 7 deletions
--- a/HISTORY.md
+++ b/HISTORY.md
@@ -1,5 +1,15 @@
 # Release History

+## 2.0.5 (2019-03-04)
+
+**Features**
+
+- implement method to get variables and output
+
+**Bugfixes**
+
+- fix xss in response json
+
 ## 2.0.4 (2019-02-28)

 **Bugfixes**
--- a/httprunner/about.py
+++ b/httprunner/about.py
@@ -1,7 +1,7 @@
 __title__ = 'HttpRunner'
 __description__ = 'One-stop solution for HTTP(S) testing.'
 __url__ = 'https://github.com/HttpRunner/HttpRunner'
-__version__ = '2.0.4'
+__version__ = '2.0.5'
 __author__ = 'debugtalk'
 __author_email__ = 'mail@debugtalk.com'
 __license__ = 'Apache-2.0'
--- a/httprunner/templates/report_template.html
+++ b/httprunner/templates/report_template.html
@@ -266,8 +266,8 @@
                            {% else %}
                              {{ value }}
                            {% endif %}
-                          {% elif key == "text" %}
-                              <pre>{{ req_resp.response.text | e }}</pre>
+                          {% elif key in ["text", "json"] %}
+                              <pre>{{ value | e }}</pre>
                          {% else %}
                            {{ value }}
                          {% endif %}
--- a/tests/test_api.py
+++ b/tests/test_api.py
@@ -1,4 +1,5 @@
 import os
+import re
 import shutil
 import time
 import unittest
@@ -185,10 +186,6 @@ class TestHttpRunner(ApiServerUnittest):
            {
                "config": {
                    'name': "post data",
-                    'request': {
-                        'base_url': '',
-                        'headers': {'User-Agent': 'python-requests/2.18.4'}
-                    },
                    'variables': []
                },
                "teststeps": [
@@ -198,6 +195,7 @@ class TestHttpRunner(ApiServerUnittest):
                            "url": "{}/post".format(HTTPBIN_SERVER),
                            "method": "POST",
                            "headers": {
+                                "User-Agent": "python-requests/2.18.4",
                                "Content-Type": "application/json"
                            },
                            "data": "abc"
@@ -508,6 +506,45 @@ class TestHttpRunner(ApiServerUnittest):
    #     self.runner.run(testcase_file_path)
    #     self.assertTrue(self.runner.summary["success"])

+    def test_html_report_xss(self):
+        testcases = [
+            {
+                "config": {
+                    'name': "post data"
+                },
+                "teststeps": [
+                    {
+                        "name": "post data",
+                        "request": {
+                            "url": "{}/anything".format(HTTPBIN_SERVER),
+                            "method": "POST",
+                            "headers": {
+                                "Content-Type": "application/json"
+                            },
+                            "json": {
+                                'success': False,
+                                "person": "<img src=x onerror=alert(1)>"
+                            }
+                        },
+                        "validate": [
+                            {"eq": ["status_code", 200]}
+                        ]
+                    }
+                ]
+            }
+        ]
+        tests_mapping = {
+            "testcases": testcases
+        }
+        report_path = self.runner.run(tests_mapping)
+        with open(report_path) as f:
+            content = f.read()
+            m = re.findall(
+                re.escape("&#34;person&#34;: &#34;&lt;img src=x onerror=alert(1)&gt;&#34;"),
+                content
+            )
+            self.assertEqual(len(m), 2)
+

 class TestApi(ApiServerUnittest):