fix: Escaping HTML in log (#757)

2023-11-04 19:08:15 +01:00 · 2023-11-04 19:08:15 +01:00 · 82762a2ffc
parent 84a1f6882e
commit 82762a2ffc
3 changed files with 41 additions and 3 deletions
--- a/src/pytest_html/basereport.py
+++ b/src/pytest_html/basereport.py
@ -8,6 +8,7 @@ import os
 import re
 import warnings
 from collections import defaultdict
+from html import escape
 from pathlib import Path

 import pytest
@ -312,11 +313,11 @@ def _is_error(report):
 def _process_logs(report):
    log = []
    if report.longreprtext:
-        log.append(report.longreprtext.replace("<", "&lt;").replace(">", "&gt;") + "\n")
+        log.append(escape(report.longreprtext) + "\n")
    # Don't add captured output to reruns
    if report.outcome != "rerun":
        for section in report.sections:
-            header, content = section
+            header, content = map(escape, section)
            log.append(f"{' ' + header + ' ':-^80}\n{content}")

            # weird formatting related to logs
--- a/src/pytest_html/report_data.py
+++ b/src/pytest_html/report_data.py
@ -3,6 +3,7 @@
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 import warnings
 from collections import defaultdict
+from html import escape

 from pytest_html.util import _handle_ansi

@ -146,7 +147,7 @@ class ReportData:
            # Last index is "call"
            test = self._data["tests"][report.nodeid][-1]
            for section in report.sections:
-                header, content = section
+                header, content = map(escape, section)
                if "teardown" in header:
                    log.append(f"{' ' + header + ' ':-^80}\n{content}")
            test["log"] += _handle_ansi("\n".join(log))
--- a/testing/test_integration.py
+++ b/testing/test_integration.py
@ -787,6 +787,42 @@ class TestHTML:
        log = get_log(page)
        assert_that(log).does_not_match(r"测试用例名称")

+    @pytest.mark.parametrize("outcome, occurrence", [(True, 1), (False, 2)])
+    def test_log_escaping(self, pytester, outcome, occurrence):
+        """
+        Not the best test, but it does a simple verification
+        that the string is escaped properly and not rendered as HTML
+        """
+        texts = [
+            "0 Checking object <Chopstick Container> and more",
+            "1 Checking object <  > and more",
+            "2 Checking object <> and more",
+            "3 Checking object < C > and more",
+            "4 Checking object <C > and more",
+            "5 Checking object <   and more",
+            "6 Checking object < and more",
+            "7 Checking object < C  and more",
+            "8 Checking object <C  and more",
+            '9 Checking object "<Chopstick Container>" and more',
+            '10 Checking object "<  >" and more',
+            '11 Checking object "<>" and more',
+            '12 Checking object "< C >" and more',
+            '13 Checking object "<C >" and more',
+        ]
+        test_file = "def test_escape():\n"
+        for t in texts:
+            test_file += f"\tprint('{t}')\n"
+        test_file += f"\tassert {outcome}"
+        pytester.makepyfile(test_file)
+
+        page = run(pytester)
+        assert_results(page, passed=1 if outcome else 0, failed=1 if not outcome else 0)
+
+        log = get_log(page)
+        for each in texts:
+            count = log.count(each)
+            assert_that(count).is_equal_to(occurrence)
+

 class TestLogCapturing:
    LOG_LINE_REGEX = r"\s+this is {}"