Add test for HTML escaping in generated scraper code#105
Conversation
Ensures that AI-generated Python code containing HTML-like sequences (</script>, </code>, </pre>) is properly escaped when rendered in the admin partial. This prevents XSS and JavaScript parsing errors. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
|
||
| # Raw HTML-breaking sequences should NOT appear | ||
| assert "</script><script>" not in response.text | ||
| assert "</code></pre>" not in response.text |
There was a problem hiding this comment.
The new assertion assert "</code></pre>" not in response.text will fail even when the scraper code is properly escaped because the generated_scraper.html template always emits its own </code></pre> closing tags around the code block (see backend/app/templates/admin/partials/generated_scraper.html:66). That means this test will always fail regardless of the fix it intends to protect, preventing the suite from passing and not actually detecting regressions in escaping. The check should look for escaped sequences or additional occurrences instead of forbidding the template’s markup.
Useful? React with 👍 / 👎.
1 participant
Summary
</script>,</code>,</pre>in code are escaped to</script>etc.Test plan
|efilter is removed fromgenerated_scraper.html🤖 Generated with Claude Code