You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have a few tests that compares HTML content. It shows the HTML diff as needed in console. But the HTML content is not not escaped and renders as html instead of text. This allows one to arbitrarily inject any html element in the web reporter.
Personally, I don't think executing arbitrary script in vitest web ui is any big deal, but its annoying while trying to see the errors.
Describe the bug
I have a few tests that compares HTML content. It shows the HTML diff as needed in console. But the HTML content is not not escaped and renders as html instead of text. This allows one to arbitrarily inject any html element in the web reporter.
Personally, I don't think executing arbitrary script in vitest web ui is any big deal, but its annoying while trying to see the errors.
Reproduction
The reproduction is at https://stackblitz.com/edit/vitest-dev-vitest-fgckzr?file=test%2Fhtml.test.ts&initialPath=__vitest__/
for the script and style to be injected, open the first test fail report
It should apply a green border to everything and show an alert
System Info
Used Package Manager
pnpm
Validations
The text was updated successfully, but these errors were encountered: