HTML content in test report is not escaped properly in VItest UI #5321
Description
Describe the bug
I have a few tests that compares HTML content. It shows the HTML diff as needed in console. But the HTML content is not not escaped and renders as html instead of text. This allows one to arbitrarily inject any html element in the web reporter.
Personally, I don't think executing arbitrary script in vitest web ui is any big deal, but its annoying while trying to see the errors.
Reproduction
The reproduction is at https://stackblitz.com/edit/vitest-dev-vitest-fgckzr?file=test%2Fhtml.test.ts&initialPath=__vitest__/
for the script and style to be injected, open the first test fail report
It should apply a green border to everything and show an alert
System Info
System:
OS: Linux 6.6 Pop!_OS 22.04 LTS
CPU: (8) x64 AMD Ryzen 5 3500U with Radeon Vega Mobile Gfx
Memory: 2.14 GB / 5.66 GB
Container: Yes
Shell: 5.8.1 - /bin/zsh
Binaries:
Node: 20.11.1 - ~/.local/share/pnpm/node
npm: 10.2.4 - ~/.local/share/pnpm/npm
pnpm: 8.15.4 - ~/.local/share/pnpm/pnpm
bun: 1.0.29 - ~/.bun/bin/bun
Browsers:
Chrome: 122.0.6261.94
npmPackages:
@vitest/ui: ^1.3.1 => 1.3.1
vitest: ^1.3.1 => 1.3.1Used Package Manager
pnpm
Validations
- Follow our Code of Conduct
- Read the Contributing Guidelines.
- Read the docs.
- Check that there isn't already an issue that reports the same bug to avoid creating a duplicate.
- Check that this is a concrete bug. For Q&A open a GitHub Discussion or join our Discord Chat Server.
- The provided reproduction is a minimal reproducible example of the bug.