Skip to content

Fix JavaScript injection in HTML report through regex literal #4113

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
hurl-bot merged 2 commits into from
Jun 10, 2025
Merged

Fix JavaScript injection in HTML report through regex literal #4113

hurl-bot merged 2 commits into from
Jun 10, 2025

Conversation

@jcamiel
Copy link
Collaborator

@jcamiel jcamiel commented Jun 4, 2025
edited
Loading

@fabricereix I've changed the implementation of HTML format: was not mandatory to fix the injection pb but I think we could share the "walking" AST part for HTML and text export.

Now, we have a visitor trait with each node having a corresponding visit_item method.. Caller can insert custom code in visit_item, stop the walking or resume by calling walk_item.

Code is borrowed from rustc => https://github.com/rust-lang/rust/blob/master/compiler/rustc_ast/src/visit.rs

The text export (with ANSI code etc...) has not been touched. To test for regression, I've exported into HTML all our integration Hurl files and test the export before and the new export.

If you're OK with the code, let's merge it!

@jcamiel jcamiel self-assigned this Jun 4, 2025
@jcamiel jcamiel changed the title Fix HTML injection in HTML report through regex literal Fix JavaScript injection in HTML report through regex literal Jun 4, 2025
@jcamiel jcamiel force-pushed the visitor branch 2 times, most recently from 6a8252a to e8b173f Compare June 6, 2025 07:13
@jcamiel jcamiel marked this pull request as ready for review June 6, 2025 09:13
@jcamiel jcamiel requested a review from fabricereix June 6, 2025 09:13
@jcamiel jcamiel force-pushed the visitor branch 2 times, most recently from 5249ad8 to c4b5a99 Compare June 8, 2025 17:00
@fabricereix
Copy link
Collaborator

fabricereix commented Jun 10, 2025

/accept

@hurl-bot
Copy link
Collaborator

hurl-bot commented Jun 10, 2025

🕗 /accept is running, please wait for completion.

@hurl-bot
Copy link
Collaborator

hurl-bot commented Jun 10, 2025

✅ Pull request merged with fast forward by fabricereix..

# List of commits merged from Orange-OpenSource/hurl/visitor branch into Orange-OpenSource/hurl/master branch:

  • 248ac41 Add integration test for HTML injection through regex literal in HTML report.
  • 7dcdbd1 Fix HTML injection in HTML report through regex literal.

@hurl-bot hurl-bot merged commit 248ac41 into master Jun 10, 2025
25 checks passed
@hurl-bot hurl-bot deleted the visitor branch June 10, 2025 11:42
@jcamiel jcamiel linked an issue Jun 10, 2025 that may be closed by this pull request
Regex literal in Hurl files are not escaped when exported to HTML, allowing injections #4125
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fabricereix fabricereix Awaiting requested review from fabricereix

Assignees

@jcamiel jcamiel

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Regex literal in Hurl files are not escaped when exported to HTML, allowing injections

3 participants

@jcamiel @fabricereix @hurl-bot