diff --git a/HISTORY.md b/HISTORY.md
index 6878672c..d8b9072e 100644
--- a/HISTORY.md
+++ b/HISTORY.md
@@ -1,5 +1,15 @@
# Release History
+## 2.0.5 (2019-03-04)
+
+**Features**
+
+- implement method to get variables and output
+
+**Bugfixes**
+
+- fix xss in response json
+
## 2.0.4 (2019-02-28)
**Bugfixes**
diff --git a/httprunner/__about__.py b/httprunner/__about__.py
index 5d2399c0..952b6b7c 100644
--- a/httprunner/__about__.py
+++ b/httprunner/__about__.py
@@ -1,7 +1,7 @@
__title__ = 'HttpRunner'
__description__ = 'One-stop solution for HTTP(S) testing.'
__url__ = 'https://github.com/HttpRunner/HttpRunner'
-__version__ = '2.0.4'
+__version__ = '2.0.5'
__author__ = 'debugtalk'
__author_email__ = 'mail@debugtalk.com'
__license__ = 'Apache-2.0'
diff --git a/httprunner/templates/report_template.html b/httprunner/templates/report_template.html
index 36b11bfd..633b97c5 100644
--- a/httprunner/templates/report_template.html
+++ b/httprunner/templates/report_template.html
@@ -266,8 +266,8 @@
{% else %}
{{ value }}
{% endif %}
- {% elif key == "text" %}
- {{ req_resp.response.text | e }}
+ {% elif key in ["text", "json"] %}
+ {{ value | e }}
{% else %}
{{ value }}
{% endif %}
diff --git a/tests/test_api.py b/tests/test_api.py
index 9affc00a..b0b240f3 100644
--- a/tests/test_api.py
+++ b/tests/test_api.py
@@ -1,4 +1,5 @@
import os
+import re
import shutil
import time
import unittest
@@ -185,10 +186,6 @@ class TestHttpRunner(ApiServerUnittest):
{
"config": {
'name': "post data",
- 'request': {
- 'base_url': '',
- 'headers': {'User-Agent': 'python-requests/2.18.4'}
- },
'variables': []
},
"teststeps": [
@@ -198,6 +195,7 @@ class TestHttpRunner(ApiServerUnittest):
"url": "{}/post".format(HTTPBIN_SERVER),
"method": "POST",
"headers": {
+ "User-Agent": "python-requests/2.18.4",
"Content-Type": "application/json"
},
"data": "abc"
@@ -508,6 +506,45 @@ class TestHttpRunner(ApiServerUnittest):
# self.runner.run(testcase_file_path)
# self.assertTrue(self.runner.summary["success"])
+ def test_html_report_xss(self):
+ testcases = [
+ {
+ "config": {
+ 'name': "post data"
+ },
+ "teststeps": [
+ {
+ "name": "post data",
+ "request": {
+ "url": "{}/anything".format(HTTPBIN_SERVER),
+ "method": "POST",
+ "headers": {
+ "Content-Type": "application/json"
+ },
+ "json": {
+ 'success': False,
+ "person": "
"
+ }
+ },
+ "validate": [
+ {"eq": ["status_code", 200]}
+ ]
+ }
+ ]
+ }
+ ]
+ tests_mapping = {
+ "testcases": testcases
+ }
+ report_path = self.runner.run(tests_mapping)
+ with open(report_path) as f:
+ content = f.read()
+ m = re.findall(
+ re.escape(""person": "<img src=x onerror=alert(1)>""),
+ content
+ )
+ self.assertEqual(len(m), 2)
+
class TestApi(ApiServerUnittest):