HTML Report does not correctly escape statistics data #2126
Labels
Comments
|
Sounds annoying. PRs welcome. |
|
Should be a matter of putting |
herrmanntom
pushed a commit
to herrmanntom/locust
that referenced
this issue
Jul 5, 2022
cyberw
pushed a commit
that referenced
this issue
Jul 5, 2022
* Escape user supplied data in html report (#2126) authored-by: Tom Herrmann <[email protected]>
|
turns out, the exception display in the web UI also does not escape the traceback correctly... I added another PR for this |
herrmanntom
pushed a commit
to herrmanntom/locust
that referenced
this issue
Jul 11, 2022
herrmanntom
pushed a commit
to herrmanntom/locust
that referenced
this issue
Jul 11, 2022
cyberw
added a commit
that referenced
this issue
Jul 11, 2022
Fix escaping for exceptions in normal web ui (related to #2126)
danigoland
added a commit
to danigoland/locust
that referenced
this issue
Aug 9, 2022
* More robust handling of ZMQ/RPC errors (locustio#2120) * More robust RPC error handling on msg from worker * Use dedicated exceptions, fewer nested try blocks * Fix test_zmqrpc.py * Undo function split since added new exceptions * Fix more tests * Fix some tests * Fix typo * Fix scoping of variables * Add tests for RPC/ZMQ changes * flake and black fixes * Remove debug print line Co-authored-by: Ryan Warner <[email protected]> * Remove timeout parameter from FastHttpUser unit tests * Update changelog for 2.10 * Increase CONNECT_RETRY_COUNT to avoid workers giving up too soon if master is not up yet * Escape user supplied data in html report (locustio#2126) (locustio#2127) * Escape user supplied data in html report (locustio#2126) authored-by: Tom Herrmann <[email protected]> * Replace the MD5 usage by SHA256 MD5 is old, insecure, and can create problems for people using this package when they are trying to pass some compliance requirements (for example, FIPS). * Fix escaping for exceptions in normal web ui (related to locustio#2126) * implement table-sorting in report.html * fix: Fix typo at user/wait_time.py * improve report sorting * enabled sorting of error messages as well as stacktraces * Minor edits to the documentation * Small documentation correction * Minor edits to the documentation * Log an error for every failed attempt to connect to master The connection timeout and number of attempts are hardcoded, so a failure will take very long These log lines will allow to troubleshoot issues with the connection to master * Minor edits to the documentation * Minor edits to the documentation * Minor edits to the documentation * Stop calling attributes 'properties' in some places. * Give a better error message when someone accidentally sets User.task instead of User.tasks * Fix detection of accidental TaskSet.task attribute * fix spelling in comment * style: add a report favicon * Removed cache_timeout kwarg from request_stats_full_history_csv for flask 2.2.0 * temporary change to see logs for py38 * restored resource warning masking * enabled tracemalloc temporarily * removed tracemalloc * Ensure no caching of stats history csv (replaces cache_timeout=None which was removed in locustio#2148) * Update changelog for 2.10.2 (automatic changelog generation is broken, so CHANGELOG.md is incomplete) * test: Implement failing test for issue locustio#2135 * fix: Set users_dispatcher to None when test is stopped * chore: Remove misleading docstring in test * chore: Do not use intermediate variable for one-use * perf(test): Decrease test runtime Co-authored-by: solowalker27 <[email protected]> Co-authored-by: Ryan Warner <[email protected]> Co-authored-by: Lars Holmberg <[email protected]> Co-authored-by: Tom Herrmann <[email protected]> Co-authored-by: Renan Gomes Barreto <[email protected]> Co-authored-by: Tom Herrmann <[email protected]> Co-authored-by: Lukas Lanzner <[email protected]> Co-authored-by: Dmytro Litvinov <[email protected]> Co-authored-by: Xavier Sosnovsky <[email protected]> Co-authored-by: Andy Byrne <[email protected]> Co-authored-by: gdm85 <[email protected]> Co-authored-by: Xavier Sosnovsky <[email protected]> Co-authored-by: Lars Holmberg <[email protected]> Co-authored-by: Lijiawei <[email protected]> Co-authored-by: Michael Nester <[email protected]> Co-authored-by: Maxence Boutet <[email protected]> Co-authored-by: Maxence Boutet <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
In case your statistics include html, or html-like content, then the html report breaks in various ways.
For example, one could:
name="/api/user/<userId>/info")response.failure("failed with payload: ' + response.text))Expected behavior
all html entities within user controlled parts of the statistics must be properly encoded, so that report can be viewed correctly with such data inside
Actual behavior
data is not encoded, report breaks
Steps to reproduce
Mark a response as failed with this message:
response.failure("<title>")then generate html report
Look at "failure" table. It will break after this entry. Also remaining content after this line is broken (so graphs are missing etc)
Environment
The text was updated successfully, but these errors were encountered: