Fix html escaping

Change-Id: I34c188f997cef24497ded6f912b357e9a6eefddc Closes-bug: #1612988
2016-08-15 12:54:24 +10:00 · 2016-08-15 12:54:24 +10:00 · df86344e75
parent d4b99165c3
commit df86344e75
2 changed files with 26 additions and 4 deletions
--- a/bandit/formatters/html.py
+++ b/bandit/formatters/html.py
@ -146,6 +146,7 @@ This formatter outputs the issues as HTML.

 """

+import cgi
 import logging
 import sys

@ -334,14 +335,15 @@ pre {
    for index, issue in enumerate(issues):
        if not baseline or len(issues[issue]) == 1:
            candidates = ''
-            code = code_block.format(code=issue.get_code(lines, True).
-                                     strip('\n').lstrip(' '))
+            safe_code = cgi.escape(issue.get_code(lines, True).
+                                   strip('\n').lstrip(' '))
+            code = code_block.format(code=safe_code)
        else:
            candidates_str = ''
            code = ''
            for candidate in issues[issue]:
-                candidate_code = (candidate.get_code(lines, True).strip('\n').
-                                  lstrip(' '))
+                candidate_code = cgi.escape(candidate.get_code(lines, True).
+                                            strip('\n').lstrip(' '))
                candidates_str += candidate_issue.format(code=candidate_code)

            candidates = candidate_block.format(candidate_list=candidates_str)
--- a/tests/unit/formatters/test_html.py
+++ b/tests/unit/formatters/test_html.py
@ -128,6 +128,26 @@ class HtmlFormatterTests(testtools.TestCase):
            self.assertIn('CCCCCCC', issue1.text)
            self.assertIn('abc.py', issue1.text)

+    @mock.patch('bandit.core.issue.Issue.get_code')
+    @mock.patch('bandit.core.manager.BanditManager.get_issue_list')
+    def test_escaping(self, get_issue_list, get_code):
+        self.manager.metrics.data['_totals'] = {'loc': 1000, 'nosec': 50}
+        marker = '<tag in code>'
+
+        issue_a = _get_issue_instance()
+        issue_x = _get_issue_instance()
+        get_code.return_value = marker
+
+        get_issue_list.return_value = {issue_a: [issue_x]}
+
+        tmp_file = open(self.tmp_fname, 'w')
+        b_html.report(
+            self.manager, tmp_file, bandit.LOW, bandit.LOW)
+
+        with open(self.tmp_fname) as f:
+            contents = f.read()
+        self.assertNotIn(marker, contents)
+

 def _get_issue_instance(severity=bandit.MEDIUM, confidence=bandit.MEDIUM):
    new_issue = issue.Issue(severity, confidence, 'Test issue')