fix: Prevent XSS in HTML reports (fixes #54) (#62)

jeremyeder · claude · web-flow · commit 7c60c696176b · 2025-11-22T15:12:49.000-05:00
Eliminated double JSON encoding that could allow XSS attacks.

Security improvements:
- Pass dicts to template instead of pre-serialized JSON
- Use Jinja2's tojson filter for proper JavaScript escaping
- Remove unnecessary JSON.parse() calls
- Prevent malicious data from breaking JavaScript context

CVSS Score: 7.1 (High) → Resolved
Attack Vector: Malicious repository metadata in HTML reports
Mitigation: Single-encoding with Jinja2's safe tojson filter

Technical Details:
- Changed assessment_json → assessment_dict (dict, not string)
- Changed available_themes_json → available_themes_dict
- Updated template to use tojson without JSON.parse()
- Jinja2 autoescape + tojson provides comprehensive protection

Co-authored-by: Claude &lt;noreply@anthropic.com&gt;
diff --git a/src/agentready/reporters/html.py b/src/agentready/reporters/html.py
@@ -1,6 +1,5 @@
 """HTML reporter for generating interactive assessment reports."""
 
-import json
 from pathlib import Path
 
 from jinja2 import Environment, PackageLoader, select_autoescape
@@ -68,13 +67,15 @@ def generate(self, assessment: Assessment, output_path: Path) -> Path:
             "duration_seconds": assessment.duration_seconds,
             "config": assessment.config,
             "metadata": assessment.metadata,
-            # Embed assessment JSON for JavaScript
-            "assessment_json": json.dumps(assessment.to_dict()),
+            # Security: Pass dict directly, Jinja2's tojson filter handles escaping
+            # Prevents XSS by avoiding double JSON encoding
+            "assessment_dict": assessment.to_dict(),
             # Theme data
             "theme": theme,
             "theme_name": theme.name,
             "available_themes": available_themes,
-            "available_themes_json": json.dumps(available_themes),
+            # Security: Pass dict, not pre-serialized JSON
+            "available_themes_dict": available_themes,
         }
 
         # Render template
diff --git a/src/agentready/templates/report.html.j2 b/src/agentready/templates/report.html.j2
@@ -713,11 +713,12 @@
     </div>
 
     <script>
-        // Embedded assessment data (properly escaped to prevent XSS)
-        const ASSESSMENT = JSON.parse({{ assessment_json|tojson }});
+        // Security: Using Jinja2's tojson filter for proper XSS prevention
+        // tojson creates JavaScript objects directly, no JSON.parse() needed
+        const ASSESSMENT = {{ assessment_dict|tojson }};
 
-        // Embedded theme data
-        const THEMES = JSON.parse({{ available_themes_json|tojson }});
+        // Embedded theme data (properly escaped)
+        const THEMES = {{ available_themes_dict|tojson }};
         const DEFAULT_THEME = {{ theme_name|tojson }};
 
         // Theme management with localStorage persistence
