Skip to content
This repository has been archived by the owner on Nov 21, 2017. It is now read-only.

EmailableReporter does not escape test method parameters. #91

Open
GoogleCodeExporter opened this issue Apr 23, 2015 · 1 comment
Open

EmailableReporter does not escape test method parameters. #91

GoogleCodeExporter opened this issue Apr 23, 2015 · 1 comment
Labels
auto-migrated Priority-Medium Type-Defect

Comments

@GoogleCodeExporter
Copy link 

I have several TestNG tests that use HTML or Javascript fragments in an 
@DataProvider to test for XSS issues in our web application.

These parameters revealed an XSS issue in EmailableReporter! In other words, I 
see Javascript alerts when I view emailable-report.html.

Looking at:
http://testng.googlecode.com/svn/tags/5.12/src/org/testng/reporters/EmailableRep
orter.java

The problem is:

            for (Object p : parameters) {
              m_out
                  .println("<td style=\"padding-left:.5em;padding-right:2em\">"
                      + (p != null ? p.toString() : "null") + "</td>");
            }

In the snippet above, p.toString() should be HTML-escaped.

Original issue reported on code.google.com by [email protected] on 14 Jul 2010 at 11:00
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
auto-migrated Priority-Medium Type-Defect
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@GoogleCodeExporter