From 9e7cd311b724843b33245ead425fd33e9c3b17fd Mon Sep 17 00:00:00 2001
From: VeljkoMaksimovic <maxi.maksimovic7@gmail.com>
Date: Fri, 5 Sep 2025 12:38:15 +0200
Subject: [PATCH 1/3] HTML sanitize test reports

---
 .../js/flaky_tests/components/actions.tsx     | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/front/assets/js/flaky_tests/components/actions.tsx b/front/assets/js/flaky_tests/components/actions.tsx
index 60579b4d8..982248165 100644
--- a/front/assets/js/flaky_tests/components/actions.tsx
+++ b/front/assets/js/flaky_tests/components/actions.tsx
@@ -10,6 +10,7 @@ import * as types from "../types";
 import { auto } from "@popperjs/core";
 import { Headers } from "../network/request";
 import * as marked from "marked";
+import DOMPurify from 'dompurify';
 
 export const Actions = ({ item }: { item: FlakyTestItem, }) => {
   const config = useContext(stores.Config.Context);
@@ -157,7 +158,23 @@ const TicketDetail = (props: TicketDetailProps) => {
     **Commit**: ${props.item.latestDisruptionSha()}
 
     **File**: ${props.item.testFile}`;
-    return marked.parse(markdown);
+
+    const rawHtml = marked.parse(markdown);
+    return DOMPurify.sanitize(rawHtml, {
+      ALLOWED_TAGS: [
+        'h1', 'h2', 'h3', 'h4', 'h5', 'h6',
+        'p', 'br', 'strong', 'em', 'u', 'strike',
+        'ul', 'ol', 'li',
+        'blockquote', 'code', 'pre',
+        'a'
+      ],
+      ALLOWED_ATTR: [
+        'href', 'title'
+      ],
+      ALLOWED_SCHEMES: ['http', 'https', 'mailto'],
+      FORBID_TAGS: ['script', 'object', 'embed', 'iframe', 'form', 'input'],
+      FORBID_ATTR: ['onclick', 'onload', 'onerror', 'onmouseover', 'style']
+    });
   };
 
 

From 35dc18e6c7c9b1d521e775c313b286195fab27e0 Mon Sep 17 00:00:00 2001
From: VeljkoMaksimovic <maxi.maksimovic7@gmail.com>
Date: Mon, 8 Sep 2025 09:51:52 +0200
Subject: [PATCH 2/3] Use backtick instead of single quote

---
 .../js/flaky_tests/components/actions.tsx     | 20 +++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/front/assets/js/flaky_tests/components/actions.tsx b/front/assets/js/flaky_tests/components/actions.tsx
index 982248165..e6832319b 100644
--- a/front/assets/js/flaky_tests/components/actions.tsx
+++ b/front/assets/js/flaky_tests/components/actions.tsx
@@ -10,7 +10,7 @@ import * as types from "../types";
 import { auto } from "@popperjs/core";
 import { Headers } from "../network/request";
 import * as marked from "marked";
-import DOMPurify from 'dompurify';
+import DOMPurify from "dompurify";
 
 export const Actions = ({ item }: { item: FlakyTestItem, }) => {
   const config = useContext(stores.Config.Context);
@@ -162,18 +162,18 @@ const TicketDetail = (props: TicketDetailProps) => {
     const rawHtml = marked.parse(markdown);
     return DOMPurify.sanitize(rawHtml, {
       ALLOWED_TAGS: [
-        'h1', 'h2', 'h3', 'h4', 'h5', 'h6',
-        'p', 'br', 'strong', 'em', 'u', 'strike',
-        'ul', 'ol', 'li',
-        'blockquote', 'code', 'pre',
-        'a'
+        `h1`, `h2`, `h3`, `h4`, `h5`, `h6`,
+        `p`, `br`, `strong`, `em`, `u`, `strike`,
+        `ul`, `ol`, `li`,
+        `blockquote`, `code`, `pre`,
+        `a`
       ],
       ALLOWED_ATTR: [
-        'href', 'title'
+        `href`, `title`
       ],
-      ALLOWED_SCHEMES: ['http', 'https', 'mailto'],
-      FORBID_TAGS: ['script', 'object', 'embed', 'iframe', 'form', 'input'],
-      FORBID_ATTR: ['onclick', 'onload', 'onerror', 'onmouseover', 'style']
+      ALLOWED_SCHEMES: [`http`, `https`, `mailto`],
+      FORBID_TAGS: [`script`, `object`, `embed`, `iframe`, `form`, `input`],
+      FORBID_ATTR: [`onclick`, `onload`, `onerror`, `onmouseover`, `style`]
     });
   };
 

From 279264bde1deba7b4bc57ca621d1b84d9b0c1191 Mon Sep 17 00:00:00 2001
From: VeljkoMaksimovic <maxi.maksimovic7@gmail.com>
Date: Mon, 8 Sep 2025 10:27:55 +0200
Subject: [PATCH 3/3] Remove a tag and href from allowelist

---
 front/assets/js/flaky_tests/components/actions.tsx | 11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

diff --git a/front/assets/js/flaky_tests/components/actions.tsx b/front/assets/js/flaky_tests/components/actions.tsx
index e6832319b..c13341a5d 100644
--- a/front/assets/js/flaky_tests/components/actions.tsx
+++ b/front/assets/js/flaky_tests/components/actions.tsx
@@ -165,15 +165,10 @@ const TicketDetail = (props: TicketDetailProps) => {
         `h1`, `h2`, `h3`, `h4`, `h5`, `h6`,
         `p`, `br`, `strong`, `em`, `u`, `strike`,
         `ul`, `ol`, `li`,
-        `blockquote`, `code`, `pre`,
-        `a`
+        `blockquote`, `code`, `pre`
       ],
-      ALLOWED_ATTR: [
-        `href`, `title`
-      ],
-      ALLOWED_SCHEMES: [`http`, `https`, `mailto`],
-      FORBID_TAGS: [`script`, `object`, `embed`, `iframe`, `form`, `input`],
-      FORBID_ATTR: [`onclick`, `onload`, `onerror`, `onmouseover`, `style`]
+      ALLOWED_ATTR: [`title`],
+      ALLOWED_SCHEMES: [`http`, `https`, `mailto`]
     });
   };