mirror of
https://github.com/containers/podman.git
synced 2025-07-03 17:27:18 +08:00
Merge pull request #26432 from stefwalter/dont-html-escape-json
api: Don't HTML escape application/json responses
This commit is contained in:
openshift-merge-bot[bot]
@ -120,7 +120,7 @@ func WriteJSON(w http.ResponseWriter, code int, value interface{}) {
|
|||||||
w.WriteHeader(code)
|
w.WriteHeader(code)
|
||||||
|
|
||||||
coder := json.NewEncoder(w)
|
coder := json.NewEncoder(w)
|
||||||
coder.SetEscapeHTML(true)
|
coder.SetEscapeHTML(false)
|
||||||
if err := coder.Encode(value); err != nil {
|
if err := coder.Encode(value); err != nil {
|
||||||
logrus.Errorf("Unable to write json: %q", err)
|
logrus.Errorf("Unable to write json: %q", err)
|
||||||
}
|
}
|
||||||
|
|||||||
@ -3,6 +3,9 @@
|
|||||||
package utils
|
package utils
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"net/http/httptest"
|
||||||
|
"reflect"
|
||||||
|
"strings"
|
||||||
"testing"
|
"testing"
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -53,3 +56,54 @@ func TestErrorEncoderFuncOmit(t *testing.T) {
|
|||||||
t.Errorf("the `errs` field shouldn't have been omitted")
|
t.Errorf("the `errs` field shouldn't have been omitted")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestWriteJSONNoHTMLEscape(t *testing.T) {
|
||||||
|
// Test that WriteJSON does not HTML-escape JSON content
|
||||||
|
// This test verifies the fix for issue #17769
|
||||||
|
|
||||||
|
recorder := httptest.NewRecorder()
|
||||||
|
|
||||||
|
// Test data with characters that would be HTML-escaped
|
||||||
|
testData := map[string]string{
|
||||||
|
"message": "Hello <world> & \"friends\"",
|
||||||
|
"script": "<script>alert('test')</script>",
|
||||||
|
"url": "https://example.com/path?param=value&other=<test>",
|
||||||
|
}
|
||||||
|
|
||||||
|
WriteJSON(recorder, 200, testData)
|
||||||
|
|
||||||
|
// Check response headers
|
||||||
|
if contentType := recorder.Header().Get("Content-Type"); contentType != "application/json" {
|
||||||
|
t.Errorf("Expected Content-Type 'application/json', got '%s'", contentType)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Check that response contains unescaped characters
|
||||||
|
body := recorder.Body.String()
|
||||||
|
|
||||||
|
// These characters should NOT be HTML-escaped in JSON responses
|
||||||
|
// (but quotes are still properly JSON-escaped)
|
||||||
|
expectedUnescaped := []string{
|
||||||
|
"<world>",
|
||||||
|
"&",
|
||||||
|
"\\\"friends\\\"", // JSON-escaped quotes, not HTML-escaped
|
||||||
|
"<script>",
|
||||||
|
"<test>",
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, expected := range expectedUnescaped {
|
||||||
|
if !strings.Contains(body, expected) {
|
||||||
|
t.Errorf("Expected unescaped string '%s' in response body, got: %s", expected, body)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Verify we can parse the JSON back
|
||||||
|
var parsed map[string]string
|
||||||
|
if err := json.Unmarshal([]byte(body), &parsed); err != nil {
|
||||||
|
t.Errorf("Failed to parse JSON response: %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Verify the data matches what we sent
|
||||||
|
if !reflect.DeepEqual(parsed, testData) {
|
||||||
|
t.Errorf("Parsed message doesn't match original: got %v, want %v", parsed, testData)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user