Function arguments are not escaped when outputting results of calledOnceWith()

[matafokka]

Current behavior

HTML in function arguments breaks report markup due to poor escaping:

Desired behavior

Any output is properly escaped

Test code to reproduce

Repo: https://github.com/matafokka/cypress-html-escaping-bug-repro

Example test from the same repo:

describe("Strings passed in arguments", () => {
  it("should be escaped", () => {
    const obj = {
      method: () => undefined,
    };

    cy.spy(obj, "method");

    const markup = `<svg viewBox="0 0 10 10" width="10" height="10"></svg>`;

    obj.method(markup);
    expect(obj.method).to.have.been.calledOnceWith(markup);
  });
});

Cypress Version

15.11.0

Debug Logs

Wasn't able to pasted it here, so here's gist:

https://gist.github.com/matafokka/0069752ba81e2c5018a6f02c984adc20

Other

I wasn't able to implement an XSS attack using this bug.

In theory, this could be used by a malicious resource to break the markup and insert a convincing-looking text to trick the user into compromising themselves.

While realistically this bug is harmless, things like string escaping should be properly implemented (by just using element.innerText = ...) to prevent more serious issues.