HTML Report data is not HTML encoded

kasunkv / owasp-zap-vsts-task

Visual Studio Team Services build/release task for running OWASP ZAP automated security tests

MIT License

30 stars 11 forks source link

HTML Report data is not HTML encoded #54

Open insideou7 opened 4 years ago

insideou7 commented 4 years ago

XSS Vulnerability evidence is ironically injected into the HTML report. See example excerpt below:

        <tr>
            <td width="20%">
                <p class="lead font-italic" style="font-size: 1.1em;">&nbsp;&nbsp;&nbsp;&nbsp;Evidence</p>
            </td>
            <td width="80%">
                <p class="lead"></blockquote><script>alert(1);</script><blockquote></p>
            </td>
        </tr>