fix: mock body render missing context #630
Conversation
|
|
There are 1 test cases, failed count 0:
Reported by api-testing. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| } else { | ||
| if h.item.Response.BodyData, err = render.RenderAsBytes("start-item", h.item.Response.Body, h.item); err != nil { | ||
| fmt.Printf("failed to render body: %v", err) | ||
| } |
Check warning
Code scanning / CodeQL
Reflected cross-site scripting Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 4 days ago
To fix the reflected cross-site scripting vulnerability, we need to ensure that any user-controlled data is properly sanitized or escaped before being written to the HTTP response. In this case, we can use the html.EscapeString function from the html package to escape any potentially dangerous characters in the response body.
- We will modify the
writeResponsefunction to escape thedatabefore writing it to the response. - This change will be made in the
pkg/mock/in_memory.gofile. - We need to import the
htmlpackage to use thehtml.EscapeStringfunction.
| @@ -40,2 +40,3 @@ | ||
| "github.com/gorilla/mux" | ||
| "html" | ||
| ) | ||
| @@ -365,3 +366,4 @@ | ||
| if err == nil { | ||
| w.Write(data) | ||
| escapedData := html.EscapeString(string(data)) | ||
| w.Write([]byte(escapedData)) | ||
| } else { |
Coverage summary from CodacySee diff coverage on Codacy
Coverage variation details
Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: Diff coverage details
Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: See your quality gate settings Change summary preferencesCodacy stopped sending the deprecated coverage status on June 5th, 2024. Learn more |
What type of PR is this?
What this PR does / why we need it:
Which issue(s) this PR fixes:
Fixes #