Add test for HTML escaping in generated scraper code (#105)

mbuckingham74 · claude · web-flow · commit 3a0a3412fe49 · 2025-12-02T07:26:31.000-05:00
Ensures that AI-generated Python code containing HTML-like sequences (</script>, </code>, </pre>) is properly escaped when rendered in the admin partial. This prevents XSS and JavaScript parsing errors. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude <noreply@anthropic.com>
diff --git a/backend/tests/test_admin.py b/backend/tests/test_admin.py
@@ -801,6 +801,39 @@ def test_generate_scraper_ai_not_available(self, mock_available, admin_client, d
         assert response.status_code == 400
         assert "not available" in response.text.lower() or "api" in response.text.lower()
 
+    @patch("app.routers.admin.generate_scraper_for_url")
+    @patch("app.routers.admin.is_ai_analysis_available")
+    def test_generated_scraper_escapes_html_in_code(self, mock_available, mock_generate, admin_client, db, active_source):
+        """Generated code with HTML-like content should be escaped to prevent XSS/parsing errors."""
+        from app.services.ai_analyzer import GeneratedScraper
+
+        mock_available.return_value = True
+
+        # Code containing sequences that would break HTML if not escaped
+        malicious_code = '''class TestScraper(BaseScraper):
+    def parse(self):
+        html = "</script><script>alert('xss')</script>"
+        code = "</code></pre><div>injected</div>"
+        return html
+'''
+        mock_generate.return_value = GeneratedScraper(
+            success=True,
+            code=malicious_code,
+            class_name="TestScraper"
+        )
+
+        response = admin_client.post(f"/admin/sources/{active_source.id}/generate-scraper")
+        assert response.status_code == 200
+
+        # The response should contain HTML-escaped versions
+        assert "&lt;/script&gt;" in response.text
+        assert "&lt;/code&gt;" in response.text
+        assert "&lt;/pre&gt;" in response.text
+
+        # Raw HTML-breaking sequences should NOT appear
+        assert "</script><script>" not in response.text
+        assert "</code></pre>" not in response.text
+
 
 class TestUrlNormalization:
     """Tests for _normalize_url function used in duplicate detection."""
