Fix html escaping
Change-Id: I34c188f997cef24497ded6f912b357e9a6eefddc Closes-bug: #1612988
This commit is contained in:
parent
d4b99165c3
commit
df86344e75
|
@ -146,6 +146,7 @@ This formatter outputs the issues as HTML.
|
|||
|
||||
"""
|
||||
|
||||
import cgi
|
||||
import logging
|
||||
import sys
|
||||
|
||||
|
@ -334,14 +335,15 @@ pre {
|
|||
for index, issue in enumerate(issues):
|
||||
if not baseline or len(issues[issue]) == 1:
|
||||
candidates = ''
|
||||
code = code_block.format(code=issue.get_code(lines, True).
|
||||
strip('\n').lstrip(' '))
|
||||
safe_code = cgi.escape(issue.get_code(lines, True).
|
||||
strip('\n').lstrip(' '))
|
||||
code = code_block.format(code=safe_code)
|
||||
else:
|
||||
candidates_str = ''
|
||||
code = ''
|
||||
for candidate in issues[issue]:
|
||||
candidate_code = (candidate.get_code(lines, True).strip('\n').
|
||||
lstrip(' '))
|
||||
candidate_code = cgi.escape(candidate.get_code(lines, True).
|
||||
strip('\n').lstrip(' '))
|
||||
candidates_str += candidate_issue.format(code=candidate_code)
|
||||
|
||||
candidates = candidate_block.format(candidate_list=candidates_str)
|
||||
|
|
|
@ -128,6 +128,26 @@ class HtmlFormatterTests(testtools.TestCase):
|
|||
self.assertIn('CCCCCCC', issue1.text)
|
||||
self.assertIn('abc.py', issue1.text)
|
||||
|
||||
@mock.patch('bandit.core.issue.Issue.get_code')
|
||||
@mock.patch('bandit.core.manager.BanditManager.get_issue_list')
|
||||
def test_escaping(self, get_issue_list, get_code):
|
||||
self.manager.metrics.data['_totals'] = {'loc': 1000, 'nosec': 50}
|
||||
marker = '<tag in code>'
|
||||
|
||||
issue_a = _get_issue_instance()
|
||||
issue_x = _get_issue_instance()
|
||||
get_code.return_value = marker
|
||||
|
||||
get_issue_list.return_value = {issue_a: [issue_x]}
|
||||
|
||||
tmp_file = open(self.tmp_fname, 'w')
|
||||
b_html.report(
|
||||
self.manager, tmp_file, bandit.LOW, bandit.LOW)
|
||||
|
||||
with open(self.tmp_fname) as f:
|
||||
contents = f.read()
|
||||
self.assertNotIn(marker, contents)
|
||||
|
||||
|
||||
def _get_issue_instance(severity=bandit.MEDIUM, confidence=bandit.MEDIUM):
|
||||
new_issue = issue.Issue(severity, confidence, 'Test issue')
|
||||
|
|
Loading…
Reference in New Issue