Escape user supplied data in html report (#2126) #2127
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
LGTM. Have you tested a few cases? Like spaces in filenames etc? |
Yes I did. HTML harmful stuff in locust-script-name, request names, error messages and exceptions. Did not test node-names, hostname and tasks, as I am unsure how to control them (easily). But I think escaping them just in case does not harm. |
|
tox runs for me (only with python3.9 as I do not have other versions installed), not sure what the reason of failure in the "checks" here are... there is just empty error message |
|
I think the problems on GH are real errors. Can you check if your package versions are different from the ones listed in the build? (or just try installing the latest ones yourself) |
|
Maybe I did it somehow wrong before. Now everything seems to be fixed. |
|
Thx! |
danigoland
added a commit
to danigoland/locust
that referenced
this pull request
Aug 9, 2022
* More robust handling of ZMQ/RPC errors (locustio#2120) * More robust RPC error handling on msg from worker * Use dedicated exceptions, fewer nested try blocks * Fix test_zmqrpc.py * Undo function split since added new exceptions * Fix more tests * Fix some tests * Fix typo * Fix scoping of variables * Add tests for RPC/ZMQ changes * flake and black fixes * Remove debug print line Co-authored-by: Ryan Warner <[email protected]> * Remove timeout parameter from FastHttpUser unit tests * Update changelog for 2.10 * Increase CONNECT_RETRY_COUNT to avoid workers giving up too soon if master is not up yet * Escape user supplied data in html report (locustio#2126) (locustio#2127) * Escape user supplied data in html report (locustio#2126) authored-by: Tom Herrmann <[email protected]> * Replace the MD5 usage by SHA256 MD5 is old, insecure, and can create problems for people using this package when they are trying to pass some compliance requirements (for example, FIPS). * Fix escaping for exceptions in normal web ui (related to locustio#2126) * implement table-sorting in report.html * fix: Fix typo at user/wait_time.py * improve report sorting * enabled sorting of error messages as well as stacktraces * Minor edits to the documentation * Small documentation correction * Minor edits to the documentation * Log an error for every failed attempt to connect to master The connection timeout and number of attempts are hardcoded, so a failure will take very long These log lines will allow to troubleshoot issues with the connection to master * Minor edits to the documentation * Minor edits to the documentation * Minor edits to the documentation * Stop calling attributes 'properties' in some places. * Give a better error message when someone accidentally sets User.task instead of User.tasks * Fix detection of accidental TaskSet.task attribute * fix spelling in comment * style: add a report favicon * Removed cache_timeout kwarg from request_stats_full_history_csv for flask 2.2.0 * temporary change to see logs for py38 * restored resource warning masking * enabled tracemalloc temporarily * removed tracemalloc * Ensure no caching of stats history csv (replaces cache_timeout=None which was removed in locustio#2148) * Update changelog for 2.10.2 (automatic changelog generation is broken, so CHANGELOG.md is incomplete) * test: Implement failing test for issue locustio#2135 * fix: Set users_dispatcher to None when test is stopped * chore: Remove misleading docstring in test * chore: Do not use intermediate variable for one-use * perf(test): Decrease test runtime Co-authored-by: solowalker27 <[email protected]> Co-authored-by: Ryan Warner <[email protected]> Co-authored-by: Lars Holmberg <[email protected]> Co-authored-by: Tom Herrmann <[email protected]> Co-authored-by: Renan Gomes Barreto <[email protected]> Co-authored-by: Tom Herrmann <[email protected]> Co-authored-by: Lukas Lanzner <[email protected]> Co-authored-by: Dmytro Litvinov <[email protected]> Co-authored-by: Xavier Sosnovsky <[email protected]> Co-authored-by: Andy Byrne <[email protected]> Co-authored-by: gdm85 <[email protected]> Co-authored-by: Xavier Sosnovsky <[email protected]> Co-authored-by: Lars Holmberg <[email protected]> Co-authored-by: Lijiawei <[email protected]> Co-authored-by: Michael Nester <[email protected]> Co-authored-by: Maxence Boutet <[email protected]> Co-authored-by: Maxence Boutet <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is a quick fix for issue #2126, possibly not the most elegant solution.