Escape html comments in json

mpkorstanje · mpkorstanje · commit fdbb90ca33fd · 2025-08-10T13:38:34.000+02:00
In brief, explained in more detail by Jon Surrel[1], both `</script>` and `<!--` are interpreted by the html render. We caught the first one, but not the second. The W3C recommendation is to escape the `<` instead with `\x3C`[2]. 1. https://sirre.al/2025/08/06/safe-json-in-script-tags-how-not-to-break-a-site/ 2. https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,6 +9,9 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 ### Changed
 - Upgrade `react-components` to [23.2.0](https://github.com/cucumber/react-components/releases/tag/v23.2.0)
 
+### Fixed
+- Escape html comments in json ([#408](https://github.com/cucumber/html-formatter/pull/408))
+
 ## [21.13.0] - 2025-07-07
 ### Changed
 - Upgrade `cucumber-messages` to [28.0.0](https://github.com/cucumber/messages/releases/tag/v28.0.0)
diff --git a/dotnet/Cucumber.HtmlFormatter/JsonInHtmlWriter.cs b/dotnet/Cucumber.HtmlFormatter/JsonInHtmlWriter.cs
@@ -33,7 +33,8 @@ public override void Write(char[] source, int offset, int length)
             throw new ArgumentException("Cannot read past the end of the input source char array.");
 
         var destination = PrepareBuffer();
-        var flushAt = BUFFER_SIZE - 2;
+        // Largest write without boundary check is 4 bytes
+        var flushAt = BUFFER_SIZE - 4;
         var written = 0;
         for (var i = offset; i < offset + length; i++)
         {
@@ -46,12 +47,19 @@ public override void Write(char[] source, int offset, int length)
                 written = 0;
             }
 
-            // Write with escapes
-            if (c == '/')
+            // Replace < with \x3C
+            // https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements
+            if (c == '<')
             {
                 destination[written++] = '\\';
+                destination[written++] = 'x';
+                destination[written++] = '3';
+                destination[written++] = 'C';
+            } 
+            else
+            {
+                destination[written++] = c;
             }
-            destination[written++] = c;
         }
         // Flush any remaining
         if (written > 0)
@@ -66,7 +74,8 @@ public override async Task WriteAsync(char[] source, int offset, int length)
             throw new ArgumentException("Cannot read past the end of the input source char array.");
 
         var destination = PrepareBuffer();
-        var flushAt = BUFFER_SIZE - 2;
+        // Largest write without boundary check is 4 bytes
+        var flushAt = BUFFER_SIZE - 4;
         var written = 0;
         for (var i = offset; i < offset + length; i++)
         {
@@ -79,12 +88,19 @@ public override async Task WriteAsync(char[] source, int offset, int length)
                 written = 0;
             }
 
-            // Write with escapes
-            if (c == '/')
+            // Replace < with \x3C
+            // https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements
+            if (c == '<')
             {
                 destination[written++] = '\\';
+                destination[written++] = 'x';
+                destination[written++] = '3';
+                destination[written++] = 'C';
+            } 
+            else
+            {
+                destination[written++] = c;
             }
-            destination[written++] = c;
         }
         // Flush any remaining
         if (written > 0)
diff --git a/dotnet/Cucumber.HtmlFormatterTest/JsonInHtmlWriterTests.cs b/dotnet/Cucumber.HtmlFormatterTest/JsonInHtmlWriterTests.cs
@@ -32,29 +32,29 @@ public async Task WritesAsync()
     [TestMethod]
     public void EscapesSingle()
     {
-        _writer.Write("/");
-        Assert.AreEqual("\\/", Output());
+        _writer.Write("<");
+        Assert.AreEqual("\\x3C", Output());
     }
 
     [TestMethod]
     public async Task EscapesSingleAsync()
     {
-        await _writer.WriteAsync("/");
-        Assert.AreEqual("\\/", await OutputAsync());
+        await _writer.WriteAsync("<");
+        Assert.AreEqual("\\x3C", await OutputAsync());
     }
 
     [TestMethod]
     public void EscapesMultiple()
     {
         _writer.Write("</script><script></script>");
-        Assert.AreEqual("<\\/script><script><\\/script>", Output());
+        Assert.AreEqual("\\x3C/script>\\x3Cscript>\\x3C/script>", Output());
     }
 
     [TestMethod]
     public async Task EscapesMultipleAsync()
     {
         await _writer.WriteAsync("</script><script></script>");
-        Assert.AreEqual("<\\/script><script><\\/script>", await OutputAsync());
+        Assert.AreEqual("\\x3C/script>\\x3Cscript>\\x3C/script>", await OutputAsync());
     }
 
     [TestMethod]
@@ -72,7 +72,7 @@ public void PartialWrites()
         text.CopyTo(17, buffer, 4, 9);
         _writer.Write(buffer, 4, 9);
 
-        Assert.AreEqual("<\\/script><script><\\/script>", Output());
+        Assert.AreEqual("\\x3C/script>\\x3Cscript>\\x3C/script>", Output());
     }
 
     [TestMethod]
@@ -90,7 +90,7 @@ public async Task PartialWritesAsync()
         text.CopyTo(17, buffer, 4, 9);
         await _writer.WriteAsync(buffer, 4, 9);
 
-        Assert.AreEqual("<\\/script><script><\\/script>", await OutputAsync());
+        Assert.AreEqual("\\x3C/script>\\x3Cscript>\\x3C/script>", await OutputAsync());
     }
     [TestMethod]
     public void LargeWritesWithOddBoundaries()
@@ -99,15 +99,15 @@ public void LargeWritesWithOddBoundaries()
         buffer[0] = 'a';
         for (int i = 1; i < buffer.Length; i++)
         {
-            buffer[i] = '/';
+            buffer[i] = '<';
         }
         _writer.Write(buffer);
 
         StringBuilder expected = new StringBuilder();
         expected.Append('a');
         for (int i = 1; i < buffer.Length; i++)
         {
-            expected.Append("\\/");
+            expected.Append("\\x3C");
         }
         Assert.AreEqual(expected.ToString(), Output());
     }
@@ -119,15 +119,15 @@ public async Task LargeWritesWithOddBoundariesAsync()
         buffer[0] = 'a';
         for (int i = 1; i < buffer.Length; i++)
         {
-            buffer[i] = '/';
+            buffer[i] = '<';
         }
         await _writer.WriteAsync(buffer);
 
         StringBuilder expected = new StringBuilder();
         expected.Append('a');
         for (int i = 1; i < buffer.Length; i++)
         {
-            expected.Append("\\/");
+            expected.Append("\\x3C");
         }
         Assert.AreEqual(expected.ToString(), await OutputAsync());
     }
@@ -138,14 +138,14 @@ public void ReallyLargeWrites()
         char[] buffer = new char[2048];
         for (int i = 0; i < buffer.Length; i++)
         {
-            buffer[i] = '/';
+            buffer[i] = '<';
         }
         _writer.Write(buffer);
 
         StringBuilder expected = new StringBuilder();
         for (int i = 0; i < buffer.Length; i++)
         {
-            expected.Append("\\/");
+            expected.Append("\\x3C");
         }
         Assert.AreEqual(expected.ToString(), Output());
     }
@@ -156,14 +156,14 @@ public async Task ReallyLargeWritesAsync()
         char[] buffer = new char[2048];
         for (int i = 0; i < buffer.Length; i++)
         {
-            buffer[i] = '/';
+            buffer[i] = '<';
         }
         await _writer.WriteAsync(buffer);
 
         StringBuilder expected = new StringBuilder();
         for (int i = 0; i < buffer.Length; i++)
         {
-            expected.Append("\\/");
+            expected.Append("\\x3C");
         }
         Assert.AreEqual(expected.ToString(), await OutputAsync());
     }
diff --git a/dotnet/Cucumber.HtmlFormatterTest/MessagesToHtmlWriterTest.cs b/dotnet/Cucumber.HtmlFormatterTest/MessagesToHtmlWriterTest.cs
@@ -173,30 +173,30 @@ public async Task ItWritesTwoMessagesSeparatedByACommaAsync()
     }
 
     [TestMethod]
-    public void ItEscapesForwardSlashes()
+    public void ItEscapesOpeningAngleBracket()
     {
         Envelope envelope = Envelope.Create(new GherkinDocument(
             null,
             null,
             [new(new Location(0L, 0L), "</script><script>alert('Hello')</script>")]
         ));
         string html = RenderAsHtml(envelope);
-        Assert.IsTrue(html.Contains("window.CUCUMBER_MESSAGES = [{\"gherkinDocument\":{\"comments\":[{\"location\":{\"line\":0,\"column\":0},\"text\":\"<\\/script><script>alert('Hello')<\\/script>\"}]}}];"),
-            $"Expected \"window.CUCUMBER_MESSAGES = [{{\\\"gherkinDocument\\\":{{\\\"comments\\\":[{{\\\"location\\\":{{\\\"line\\\":0,\\\"column\\\":0}},\\\"text\\\":\\\"<\\\\/script><script>alert('Hello')<\\\\/script>\\\"}}]}}];" +
+        Assert.IsTrue(html.Contains("window.CUCUMBER_MESSAGES = [{\"gherkinDocument\":{\"comments\":[{\"location\":{\"line\":0,\"column\":0},\"text\":\"\\x3C/script>\\x3Cscript>alert('Hello')\\x3C/script>\"}]}}];"),
+            $"Expected \"window.CUCUMBER_MESSAGES = [{{\\\"gherkinDocument\\\":{{\\\"comments\\\":[{{\\\"location\\\":{{\\\"line\\\":0,\\\"column\\\":0}},\\\"text\\\":\\\"\\\\x3C/script>\\\\x3Cscript>alert('Hello')\\\\x3C/script>\\\"}}]}}];" +
             $"\nbut instead had: \n{html.Substring(html.IndexOf("window.CUCUMBER"))}");
     }
 
     [TestMethod]
-    public async Task ItEscapesForwardSlashesAsync()
+    public async Task ItEscapesOpeningAngleBracketAsync()
     {
         Envelope envelope = Envelope.Create(new GherkinDocument(
             null,
             null,
             [new(new Location(0L, 0L), "</script><script>alert('Hello')</script>")]
         ));
         string html = await RenderAsHtmlAsync(envelope);
-        Assert.IsTrue(html.Contains("window.CUCUMBER_MESSAGES = [{\"gherkinDocument\":{\"comments\":[{\"location\":{\"line\":0,\"column\":0},\"text\":\"<\\/script><script>alert('Hello')<\\/script>\"}]}}];"),
-            $"Expected \"window.CUCUMBER_MESSAGES = [{{\\\"gherkinDocument\\\":{{\\\"comments\\\":[{{\\\"location\\\":{{\\\"line\\\":0,\\\"column\\\":0}},\\\"text\\\":\\\"<\\\\/script><script>alert('Hello')<\\\\/script>\\\"}}]}}];" +
+        Assert.IsTrue(html.Contains("window.CUCUMBER_MESSAGES = [{\"gherkinDocument\":{\"comments\":[{\"location\":{\"line\":0,\"column\":0},\"text\":\"\\x3C/script>\\x3Cscript>alert('Hello')\\x3C/script>\"}]}}];"),
+            $"Expected \"window.CUCUMBER_MESSAGES = [{{\\\"gherkinDocument\\\":{{\\\"comments\\\":[{{\\\"location\\\":{{\\\"line\\\":0,\\\"column\\\":0}},\\\"text\\\":\\\"\\\\x3C/script>\\\\x3Cscript>alert('Hello')\\\\x3C/script>\\\"}}]}}];" +
             $"\nbut instead had: \n{html.Substring(html.IndexOf("window.CUCUMBER"))}");
     }
 
diff --git a/java/src/main/java/io/cucumber/htmlformatter/JsonInHtmlWriter.java b/java/src/main/java/io/cucumber/htmlformatter/JsonInHtmlWriter.java
@@ -19,7 +19,8 @@ class JsonInHtmlWriter extends Writer {
     @Override
     public void write(char[] source, int offset, int length) throws IOException {
         char[] destination = prepareBuffer();
-        int flushAt = BUFFER_SIZE - 2;
+        // Largest write without boundary check is 4 bytes
+        int flushAt = BUFFER_SIZE - 4;
         int written = 0;
         for (int i = offset; i < offset + length; i++) {
             char c = source[i];
@@ -30,11 +31,16 @@ public void write(char[] source, int offset, int length) throws IOException {
                 written = 0;
             }
 
-            // Write with escapes
-            if (c == '/') {
+            // Replace < with \x3C
+            // https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements
+            if (c == '<') {
                 destination[written++] = '\\';
+                destination[written++] = 'x';
+                destination[written++] = '3';
+                destination[written++] = 'C';
+            } else {
+                destination[written++] = c;
             }
-            destination[written++] = c;
         }
         // Flush any remaining
         if (written > 0) {
diff --git a/java/src/test/java/io/cucumber/htmlformatter/JsonInHtmlWriterTest.java b/java/src/test/java/io/cucumber/htmlformatter/JsonInHtmlWriterTest.java
@@ -24,14 +24,14 @@ void writes() throws IOException {
 
     @Test
     void escapes_single() throws IOException {
-        writer.write("/");
-        assertEquals("\\/", output());
+        writer.write("<");
+        assertEquals("\\x3C", output());
     }
 
     @Test
     void escapes_multiple() throws IOException {
         writer.write("</script><script></script>");
-        assertEquals("<\\/script><script><\\/script>", output());
+        assertEquals("\\x3C/script>\\x3Cscript>\\x3C/script>", output());
     }
 
     @Test
@@ -48,21 +48,21 @@ void partial_writes() throws IOException {
         text.getChars(17, 26, buffer, 4);
         writer.write(buffer, 4, 9);
 
-        assertEquals("<\\/script><script><\\/script>", output());
+        assertEquals("\\x3C/script>\\x3Cscript>\\x3C/script>", output());
     }
 
     @Test
     void large_writes_with_odd_boundaries() throws IOException {
         char[] buffer = new char[1024];
         // This forces the buffer to flush after every 1023 written characters.
         buffer[0] = 'a';
-        Arrays.fill(buffer, 1, buffer.length, '/');
+        Arrays.fill(buffer, 1, buffer.length, '<');
         writer.write(buffer);
 
         StringBuilder expected = new StringBuilder();
         expected.append("a");
         for (int i = 1; i < buffer.length; i++) {
-            expected.append("\\/");
+            expected.append("\\x3C");
         }
         assertEquals(expected.toString(), output());
     }
@@ -71,12 +71,12 @@ void large_writes_with_odd_boundaries() throws IOException {
     @Test
     void really_large_writes() throws IOException {
         char[] buffer = new char[2048];
-        Arrays.fill(buffer, '/');
+        Arrays.fill(buffer, '<');
         writer.write(buffer);
 
         StringBuilder expected = new StringBuilder();
         for (int i = 0; i < buffer.length; i++) {
-            expected.append("\\/");
+            expected.append("\\x3C");
         }
         assertEquals(expected.toString(), output());
     }
diff --git a/java/src/test/java/io/cucumber/htmlformatter/MessagesToHtmlWriterTest.java b/java/src/test/java/io/cucumber/htmlformatter/MessagesToHtmlWriterTest.java
@@ -4,7 +4,6 @@
 import io.cucumber.messages.Convertor;
 import io.cucumber.messages.types.Comment;
 import io.cucumber.messages.types.Envelope;
-import io.cucumber.messages.types.Feature;
 import io.cucumber.messages.types.GherkinDocument;
 import io.cucumber.messages.types.Location;
 import io.cucumber.messages.types.TestRunFinished;
@@ -14,8 +13,6 @@
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.time.Instant;
-import java.util.Arrays;
-import java.util.Collections;
 
 import static java.nio.charset.StandardCharsets.UTF_8;
 import static java.util.Collections.singletonList;
@@ -91,7 +88,7 @@ void it_writes_two_messages_separated_by_a_comma() throws IOException {
 
 
     @Test
-    void it_escapes_forward_slashes() throws IOException {
+    void it_escapes_opening_angle_bracket() throws IOException {
         Envelope envelope = Envelope.of(new GherkinDocument(
                 null,
                 null,
@@ -102,7 +99,7 @@ void it_escapes_forward_slashes() throws IOException {
         ));
         String html = renderAsHtml(envelope);
         assertThat(html, containsString(
-                "window.CUCUMBER_MESSAGES = [{\"gherkinDocument\":{\"comments\":[{\"location\":{\"line\":0,\"column\":0},\"text\":\"<\\/script><script>alert('Hello')<\\/script>\"}]}}];"));
+                "window.CUCUMBER_MESSAGES = [{\"gherkinDocument\":{\"comments\":[{\"location\":{\"line\":0,\"column\":0},\"text\":\"\\x3C/script>\\x3Cscript>alert('Hello')\\x3C/script>\"}]}}];"));
     }
 
     private static String renderAsHtml(Envelope... messages) throws IOException {
diff --git a/javascript/src/CucumberHtmlStream.spec.ts b/javascript/src/CucumberHtmlStream.spec.ts
@@ -91,7 +91,7 @@ describe('CucumberHtmlStream', () => {
     const html = await renderAsHtml(e1)
     assert(
       html.indexOf(
-        `window.CUCUMBER_MESSAGES = [{"gherkinDocument":{"comments":[{"location":{"line":0,"column":0},"text":"<\\/script><script>alert('Hello')<\\/script>"}]}}];`
+        `window.CUCUMBER_MESSAGES = [{"gherkinDocument":{"comments":[{"location":{"line":0,"column":0},"text":"\\x3C/script>\\x3Cscript>alert('Hello')\\x3C/script>"}]}}];`
       ) >= 0
     )
   })
diff --git a/javascript/src/CucumberHtmlStream.ts b/javascript/src/CucumberHtmlStream.ts
@@ -116,6 +116,8 @@ export class CucumberHtmlStream extends Transform {
     } else {
       this.push(',')
     }
-    this.push(JSON.stringify(envelope).replace(/\//g, '\\/'))
+    // Replace < with \x3C
+    // https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements
+    this.push(JSON.stringify(envelope).replace(/</g, '\\x3C'))
   }
 }
diff --git a/ruby/lib/cucumber/html_formatter/formatter.rb b/ruby/lib/cucumber/html_formatter/formatter.rb
@@ -23,7 +23,9 @@ def process_messages(messages)
 
       def write_message(message)
         out.puts(',') unless @first_message
-        out.print(message.to_json.gsub('/', '\/'))
+        # Replace < with \x3C
+        # https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements
+        out.print(message.to_json.gsub('<', "\\x3C"))
 
         @first_message = false
       end
diff --git a/ruby/spec/cucumber/html_formatter/formatter_spec.rb b/ruby/spec/cucumber/html_formatter/formatter_spec.rb

Original file line number	Diff line number	Diff line change
`@@ -32,29 +32,29 @@ public async Task WritesAsync()`
`32`	`32`	`[TestMethod]`
`33`	`33`	`public void EscapesSingle()`
`34`	`34`	`{`
`35`		`- _writer.Write("/");`
`36`		`- Assert.AreEqual("\\/", Output());`
	`35`	`+ _writer.Write("<");`
	`36`	`+ Assert.AreEqual("\\x3C", Output());`
`37`	`37`	`}`
`38`	`38`
`39`	`39`	`[TestMethod]`
`40`	`40`	`public async Task EscapesSingleAsync()`
`41`	`41`	`{`
`42`		`- await _writer.WriteAsync("/");`
`43`		`- Assert.AreEqual("\\/", await OutputAsync());`
	`42`	`+ await _writer.WriteAsync("<");`
	`43`	`+ Assert.AreEqual("\\x3C", await OutputAsync());`
`44`	`44`	`}`
`45`	`45`
`46`	`46`	`[TestMethod]`
`47`	`47`	`public void EscapesMultiple()`
`48`	`48`	`{`
`49`	`49`	`_writer.Write("</script><script></script>");`
`50`		`- Assert.AreEqual("<\\/script><script><\\/script>", Output());`
	`50`	`+ Assert.AreEqual("\\x3C/script>\\x3Cscript>\\x3C/script>", Output());`
`51`	`51`	`}`
`52`	`52`
`53`	`53`	`[TestMethod]`
`54`	`54`	`public async Task EscapesMultipleAsync()`
`55`	`55`	`{`
`56`	`56`	`await _writer.WriteAsync("</script><script></script>");`
`57`		`- Assert.AreEqual("<\\/script><script><\\/script>", await OutputAsync());`
	`57`	`+ Assert.AreEqual("\\x3C/script>\\x3Cscript>\\x3C/script>", await OutputAsync());`
`58`	`58`	`}`
`59`	`59`
`60`	`60`	`[TestMethod]`
`@@ -72,7 +72,7 @@ public void PartialWrites()`
`72`	`72`	`text.CopyTo(17, buffer, 4, 9);`
`73`	`73`	`_writer.Write(buffer, 4, 9);`
`74`	`74`
`75`		`- Assert.AreEqual("<\\/script><script><\\/script>", Output());`
	`75`	`+ Assert.AreEqual("\\x3C/script>\\x3Cscript>\\x3C/script>", Output());`
`76`	`76`	`}`
`77`	`77`
`78`	`78`	`[TestMethod]`
`@@ -90,7 +90,7 @@ public async Task PartialWritesAsync()`
`90`	`90`	`text.CopyTo(17, buffer, 4, 9);`
`91`	`91`	`await _writer.WriteAsync(buffer, 4, 9);`
`92`	`92`
`93`		`- Assert.AreEqual("<\\/script><script><\\/script>", await OutputAsync());`
	`93`	`+ Assert.AreEqual("\\x3C/script>\\x3Cscript>\\x3C/script>", await OutputAsync());`
`94`	`94`	`}`
`95`	`95`	`[TestMethod]`
`96`	`96`	`public void LargeWritesWithOddBoundaries()`
`@@ -99,15 +99,15 @@ public void LargeWritesWithOddBoundaries()`
`99`	`99`	`buffer[0] = 'a';`
`100`	`100`	`for (int i = 1; i < buffer.Length; i++)`
`101`	`101`	`{`
`102`		`- buffer[i] = '/';`
	`102`	`+ buffer[i] = '<';`
`103`	`103`	`}`
`104`	`104`	`_writer.Write(buffer);`
`105`	`105`
`106`	`106`	`StringBuilder expected = new StringBuilder();`
`107`	`107`	`expected.Append('a');`
`108`	`108`	`for (int i = 1; i < buffer.Length; i++)`
`109`	`109`	`{`
`110`		`- expected.Append("\\/");`
	`110`	`+ expected.Append("\\x3C");`
`111`	`111`	`}`
`112`	`112`	`Assert.AreEqual(expected.ToString(), Output());`
`113`	`113`	`}`
`@@ -119,15 +119,15 @@ public async Task LargeWritesWithOddBoundariesAsync()`
`119`	`119`	`buffer[0] = 'a';`
`120`	`120`	`for (int i = 1; i < buffer.Length; i++)`
`121`	`121`	`{`
`122`		`- buffer[i] = '/';`
	`122`	`+ buffer[i] = '<';`
`123`	`123`	`}`
`124`	`124`	`await _writer.WriteAsync(buffer);`
`125`	`125`
`126`	`126`	`StringBuilder expected = new StringBuilder();`
`127`	`127`	`expected.Append('a');`
`128`	`128`	`for (int i = 1; i < buffer.Length; i++)`
`129`	`129`	`{`
`130`		`- expected.Append("\\/");`
	`130`	`+ expected.Append("\\x3C");`
`131`	`131`	`}`
`132`	`132`	`Assert.AreEqual(expected.ToString(), await OutputAsync());`
`133`	`133`	`}`
`@@ -138,14 +138,14 @@ public void ReallyLargeWrites()`
`138`	`138`	`char[] buffer = new char[2048];`
`139`	`139`	`for (int i = 0; i < buffer.Length; i++)`
`140`	`140`	`{`
`141`		`- buffer[i] = '/';`
	`141`	`+ buffer[i] = '<';`
`142`	`142`	`}`
`143`	`143`	`_writer.Write(buffer);`
`144`	`144`
`145`	`145`	`StringBuilder expected = new StringBuilder();`
`146`	`146`	`for (int i = 0; i < buffer.Length; i++)`
`147`	`147`	`{`
`148`		`- expected.Append("\\/");`
	`148`	`+ expected.Append("\\x3C");`
`149`	`149`	`}`
`150`	`150`	`Assert.AreEqual(expected.ToString(), Output());`
`151`	`151`	`}`
`@@ -156,14 +156,14 @@ public async Task ReallyLargeWritesAsync()`
`156`	`156`	`char[] buffer = new char[2048];`
`157`	`157`	`for (int i = 0; i < buffer.Length; i++)`
`158`	`158`	`{`
`159`		`- buffer[i] = '/';`
	`159`	`+ buffer[i] = '<';`
`160`	`160`	`}`
`161`	`161`	`await _writer.WriteAsync(buffer);`
`162`	`162`
`163`	`163`	`StringBuilder expected = new StringBuilder();`
`164`	`164`	`for (int i = 0; i < buffer.Length; i++)`
`165`	`165`	`{`
`166`		`- expected.Append("\\/");`
	`166`	`+ expected.Append("\\x3C");`
`167`	`167`	`}`
`168`	`168`	`Assert.AreEqual(expected.ToString(), await OutputAsync());`
`169`	`169`	`}`
Original file line number	Diff line number	Diff line change
`@@ -91,7 +91,7 @@ describe('CucumberHtmlStream', () => {`
`91`	`91`	`const html = await renderAsHtml(e1)`
`92`	`92`	`assert(`
`93`	`93`	`html.indexOf(`
`94`		- `window.CUCUMBER_MESSAGES = [{"gherkinDocument":{"comments":[{"location":{"line":0,"column":0},"text":"<\\/script><script>alert('Hello')<\\/script>"}]}}];`
	`94`	+ `window.CUCUMBER_MESSAGES = [{"gherkinDocument":{"comments":[{"location":{"line":0,"column":0},"text":"\\x3C/script>\\x3Cscript>alert('Hello')\\x3C/script>"}]}}];`
`95`	`95`	`) >= 0`
`96`	`96`	`)`
`97`	`97`	`})`
Original file line number	Diff line number	Diff line change
`@@ -116,6 +116,8 @@ export class CucumberHtmlStream extends Transform {`
`116`	`116`	`} else {`
`117`	`117`	`this.push(',')`
`118`	`118`	`}`
`119`		`- this.push(JSON.stringify(envelope).replace(/\//g, '\\/'))`
	`119`	`+ // Replace < with \x3C`
	`120`	`+ // https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements`
	`121`	`+ this.push(JSON.stringify(envelope).replace(/</g, '\\x3C'))`
`120`	`122`	`}`
`121`	`123`	`}`