Add integration test for HTML injection through regex literal in HTML report.

jcamiel · jcamiel · commit 248ac41cfa17 · 2025-06-10T13:12:18.000+02:00
diff --git a/integration/hurlfmt/tests_export/injection.html b/integration/hurlfmt/tests_export/injection.html
@@ -0,0 +1,6 @@
+<pre><code class="language-hurl"><span class="entry"><span class="request"><span class="comment"># This file checks that regex literal are well escaped and forbid JavaScript injections.</span>
+<span class="method">GET</span> <span class="url">https://foo.com</span>
+</span><span class="response"><span class="version">HTTP</span> <span class="number">200</span>
+<span class="section-header">[Asserts]</span>
+<span class="query-type">jsonpath</span> <span class="string">"$.body"</span> <span class="predicate-type">matches</span> <span class="regex">/&lt;img src="" onerror="alert('Hi!')"&gt;/</span>
+</span></span></code></pre>
diff --git a/integration/hurlfmt/tests_export/injection.hurl b/integration/hurlfmt/tests_export/injection.hurl
@@ -0,0 +1,5 @@
+# This file checks that regex literal are well escaped and forbid JavaScript injections.
+GET https://foo.com
+HTTP 200
+[Asserts]
+jsonpath "$.body" matches /<img src="" onerror="alert('Hi!')">/
diff --git a/integration/hurlfmt/tests_export/injection.json b/integration/hurlfmt/tests_export/injection.json
@@ -0,0 +1 @@
+{"entries":[{"request":{"method":"GET","url":"https://foo.com","comments":[" This file checks that regex literal are well escaped and forbid JavaScript injections."]},"response":{"status":200,"asserts":[{"query":{"type":"jsonpath","expr":"$.body"},"predicate":{"type":"matches","value":"<img src=\"\" onerror=\"alert('Hi!')\">","encoding":"regex"}}]}}]}
diff --git a/integration/hurlfmt/tests_export/injection.lint.hurl b/integration/hurlfmt/tests_export/injection.lint.hurl
@@ -0,0 +1,5 @@
+# This file checks that regex literal are well escaped and forbid JavaScript injections.
+GET https://foo.com
+HTTP 200
+[Asserts]
+jsonpath "$.body" matches /<img src="" onerror="alert('Hi!')">/
diff --git a/packages/hurl_core/src/ast/visit.rs b/packages/hurl_core/src/ast/visit.rs
@@ -1,6 +1,6 @@
 /*
  * Hurl (https://hurl.dev)
- * Copyright (C) 2024 Orange
+ * Copyright (C) 2025 Orange
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -18,6 +18,8 @@
 //! Walker traverses an AST in depth-first order. Each overridden visit method has full control over
 //! what happens with its node, it can do its own traversal of the node's children, call `visit::walk_*`
 //! to apply the default traversal algorithm, or prevent deeper traversal by doing nothing.
+//!
+//! Code heavily inspired from <https://github.com/rust-lang/rust/blob/master/compiler/rustc_ast/src/visit.rs>
 use crate::ast::{
     Assert, Base64, Body, BooleanOption, Bytes, Capture, Comment, Cookie, CookiePath, CountOption,
     DurationOption, Entry, EntryOption, File, FilenameParam, FilenameValue, Filter, FilterValue,

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+{"entries":[{"request":{"method":"GET","url":"https://foo.com","comments":[" This file checks that regex literal are well escaped and forbid JavaScript injections."]},"response":{"status":200,"asserts":[{"query":{"type":"jsonpath","expr":"$.body"},"predicate":{"type":"matches","value":"<img src=\"\" onerror=\"alert('Hi!')\">","encoding":"regex"}}]}}]}`