Skip to content

Health Checker: Fix HTML report URL hyperlinks, br tag encoding, and CVE detail row leaks#2546

Merged
dpaulson45 merged 2 commits into
mainfrom
dpaul-HC-HtmlDev
Jun 5, 2026
Merged

Health Checker: Fix HTML report URL hyperlinks, br tag encoding, and CVE detail row leaks#2546
dpaulson45 merged 2 commits into
mainfrom
dpaul-HC-HtmlDev

Conversation

@dpaulson45
Copy link
Copy Markdown
Member

@dpaulson45 dpaulson45 commented Jun 4, 2026

Summary

Fixes three HTML report rendering issues:

  1. URL Hyperlinks — Plain-text URLs in the HTML report are now converted to clickable <a> hyperlinks with target=_blank and rel=noopener noreferrer
  2. <br> Tag Preservation — Fixes a regression from PR Handle HTML text including greater and less than symbols #2475 where <br> tags (used in the Security Vulnerabilities summary row) were being HTML-encoded to &lt;br&gt;
  3. CVE Detail Row Leaks — Added AddHtmlDetailRow = $false to 9 Security Vulnerability entries across 6 files that were leaking individual CVE rows into the HTML detail table instead of only appearing in the rolled-up summary

Files Changed

Fixes

  • Add-AnalyzedResultInformation.ps1 — URL-to-hyperlink conversion and <br> preservation in GetHtmlTextValue; added Pester extract markers for testability
  • Invoke-AnalyzerSecurityADV24199947.ps1 — Added AddHtmlDetailRow = $false
  • Invoke-AnalyzerSecurityCve-2022-21978.ps1 — Added AddHtmlDetailRow = $false
  • Invoke-AnalyzerSecurityCve-2022-41040.NotPublished.ps1 — Added AddHtmlDetailRow = $false
  • Invoke-AnalyzerSecurityCveAddressedBySerializedDataSigning.ps1 — Added AddHtmlDetailRow = $false
  • Invoke-AnalyzerSecurityCveAndOverrideCheck.ps1 — Added AddHtmlDetailRow = $false
  • Invoke-AnalyzerSecurityExtendedProtectionConfigState.ps1 — Added AddHtmlDetailRow = $false (4 locations)

Tests

  • HealthChecker.E19.Main.Tests.ps1 — 15 new tests: 11 unit tests for GetHtmlTextValue (encoding, <br> preservation, URL conversion, trailing punctuation) and 4 integration tests for HTML report structure and CVE rendering
  • HealthCheckerTests.ImportCode.NotPublished.ps1 — Added GetHtmlServerDetail and GetHtmlOverviewValue test helpers

Testing

  • All 106 Pester tests pass
  • Build script timing unchanged from main (~120s)
  • SpellCheck and PSScriptAnalyzer clean

Fixes #532

@dpaulson45
Health Checker: Fix HTML report URL hyperlinks, br tag encoding, and …
ba0d021 
…CVE detail row leaks

- Convert plain-text URLs to clickable hyperlinks in HTML report (fixes #532)
- Preserve <br> tags after HTML encoding in GetHtmlTextValue (PR #2475 regression)
- Add AddHtmlDetailRow = $false to 9 Security Vulnerability entries that were
  leaking individual CVE rows into the HTML detail table instead of only appearing
  in the rolled-up Security Vulnerabilities summary row
- Add Extract for Pester Testing markers to GetHtmlTextValue for testability
- Add GetHtmlServerDetail and GetHtmlOverviewValue test helpers
- Add 15 Pester tests: 11 unit tests for GetHtmlTextValue encoding/URL/br behavior
  and 4 integration tests for HTML report structure and CVE rendering

Files fixed for missing AddHtmlDetailRow:
  - Invoke-AnalyzerSecurityADV24199947.ps1
  - Invoke-AnalyzerSecurityCve-2022-21978.ps1
  - Invoke-AnalyzerSecurityCve-2022-41040.NotPublished.ps1
  - Invoke-AnalyzerSecurityCveAddressedBySerializedDataSigning.ps1
  - Invoke-AnalyzerSecurityCveAndOverrideCheck.ps1
  - Invoke-AnalyzerSecurityExtendedProtectionConfigState.ps1 (4 locations)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings June 4, 2026 20:49
@dpaulson45 dpaulson45 requested a review from a team as a code owner June 4, 2026 20:49
@dpaulson45
Copy link
Copy Markdown
Member Author

dpaulson45 commented Jun 4, 2026

/azp run

@azure-pipelines
Copy link
Copy Markdown

azure-pipelines Bot commented Jun 4, 2026

Azure Pipelines successfully started running 1 pipeline(s).

Copilot AI reviewed Jun 4, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR improves HealthChecker’s HTML report rendering and output shaping, primarily for the Security Vulnerabilities section, by (1) converting plain-text URLs into clickable hyperlinks, (2) preserving intended <br> tags in HTML cells (regression from PR #2475), and (3) preventing individual CVE “Security Vulnerability” entries from leaking into the HTML detail table by setting AddHtmlDetailRow = $false in relevant analyzers.

Changes:

  • Updated HTML text formatting logic (GetHtmlTextValue) to preserve <br> and convert http(s):// URLs into safe <a ...> links.
  • Suppressed HTML detail-row output for multiple Security Vulnerability analyzers via AddHtmlDetailRow = $false.
  • Added/expanded Pester coverage (unit + integration-style assertions) and introduced test helpers to validate HTML report structure and CVE rollups.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
Diagnostics/HealthChecker/Analyzer/Add-AnalyzedResultInformation.ps1 Enhances HTML text processing to preserve <br> and hyperlink URLs; adds Pester extract markers for testability.
Diagnostics/HealthChecker/Analyzer/Security/Invoke-AnalyzerSecurityADV24199947.ps1 Prevents ADV24199947 from creating per-CVE HTML detail rows.
Diagnostics/HealthChecker/Analyzer/Security/Invoke-AnalyzerSecurityCve-2022-21978.ps1 Prevents CVE-2022-21978 from creating per-CVE HTML detail rows (but see blocking null-check bug comment).
Diagnostics/HealthChecker/Analyzer/Security/Invoke-AnalyzerSecurityCve-2022-41040.NotPublished.ps1 Prevents CVE-2022-41040 from creating per-CVE HTML detail rows.
Diagnostics/HealthChecker/Analyzer/Security/Invoke-AnalyzerSecurityCveAddressedBySerializedDataSigning.ps1 Prevents serialized-data-signing CVE entry from creating per-CVE HTML detail rows.
Diagnostics/HealthChecker/Analyzer/Security/Invoke-AnalyzerSecurityCveAndOverrideCheck.ps1 Prevents override-based CVE entries from creating per-CVE HTML detail rows.
Diagnostics/HealthChecker/Analyzer/Security/Invoke-AnalyzerSecurityExtendedProtectionConfigState.ps1 Prevents EP-related “Security Vulnerability” entries from leaking into HTML detail rows.
Diagnostics/HealthChecker/Tests/HealthChecker.E19.Main.Tests.ps1 Adds unit tests for GetHtmlTextValue and HTML structure/CVE rollup validations.
Diagnostics/HealthChecker/Tests/HealthCheckerTests.ImportCode.NotPublished.ps1 Adds helper accessors for HtmlServerValues to support new HTML tests.

Comment thread Diagnostics/HealthChecker/Analyzer/Security/Invoke-AnalyzerSecurityCve-2022-21978.ps1
Comment thread Diagnostics/HealthChecker/Tests/HealthChecker.E19.Main.Tests.ps1
Comment on lines +297 to +298
# The regular CVE path sets AddHtmlDetailRow = $false, but the override CVE path
# in Invoke-AnalyzerSecurityCveAndOverrideCheck.ps1 is missing it.
@dpaulson45
Copy link
Copy Markdown
Member Author

dpaulson45 commented Jun 5, 2026

/azp run

@azure-pipelines
Copy link
Copy Markdown

azure-pipelines Bot commented Jun 5, 2026

Azure Pipelines successfully started running 1 pipeline(s).

@dpaulson45 dpaulson45 merged commit a29b75b into main Jun 5, 2026
7 checks passed
@dpaulson45 dpaulson45 deleted the dpaul-HC-HtmlDev branch June 5, 2026 14:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@lusassl-msft lusassl-msft lusassl-msft approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

HealthChecker - Add Hyperlink in HTML Report

3 participants

@dpaulson45 @lusassl-msft