From c59c80e7202ff4068954e81ec6f3b715ca6dc752 Mon Sep 17 00:00:00 2001 From: Mike-Ki Date: Thu, 7 May 2026 17:21:34 +0200 Subject: [PATCH 1/2] Fixed XSS vulns in deserialization testfiles --- testcode/BenchmarkTest00079.py | 2 +- testcode/BenchmarkTest00269.py | 2 +- testcode/BenchmarkTest00270.py | 2 +- testcode/BenchmarkTest00271.py | 2 +- testcode/BenchmarkTest00434.py | 2 +- testcode/BenchmarkTest00435.py | 2 +- testcode/BenchmarkTest00827.py | 2 +- testcode/BenchmarkTest00828.py | 2 +- testcode/BenchmarkTest00904.py | 2 +- testcode/BenchmarkTest00994.py | 2 +- testcode/BenchmarkTest00998.py | 2 +- 11 files changed, 11 insertions(+), 11 deletions(-) diff --git a/testcode/BenchmarkTest00079.py b/testcode/BenchmarkTest00079.py index e38f0a85..57520b9b 100644 --- a/testcode/BenchmarkTest00079.py +++ b/testcode/BenchmarkTest00079.py @@ -46,7 +46,7 @@ def BenchmarkTest00079_post(): yobj = yaml.safe_load(bar) RESPONSE += ( - yobj['text'] + escape_for_html(yobj['text']) ) except: RESPONSE += ( diff --git a/testcode/BenchmarkTest00269.py b/testcode/BenchmarkTest00269.py index c5776a9c..224b1ea5 100644 --- a/testcode/BenchmarkTest00269.py +++ b/testcode/BenchmarkTest00269.py @@ -44,7 +44,7 @@ def BenchmarkTest00269_post(): yobj = yaml.load(bar, Loader=yaml.Loader) RESPONSE += ( - yobj['text'] + escape_for_html(yobj['text']) ) except: RESPONSE += ( diff --git a/testcode/BenchmarkTest00270.py b/testcode/BenchmarkTest00270.py index 587355f6..7a51ff96 100644 --- a/testcode/BenchmarkTest00270.py +++ b/testcode/BenchmarkTest00270.py @@ -41,7 +41,7 @@ def BenchmarkTest00270_post(): yobj = yaml.load(bar, Loader=yaml.Loader) RESPONSE += ( - yobj['text'] + escape_for_html(obj['text']) ) except: RESPONSE += ( diff --git a/testcode/BenchmarkTest00271.py b/testcode/BenchmarkTest00271.py index d3937ee5..8a8cf01d 100644 --- a/testcode/BenchmarkTest00271.py +++ b/testcode/BenchmarkTest00271.py @@ -52,7 +52,7 @@ def BenchmarkTest00271_post(): yobj = yaml.safe_load(bar) RESPONSE += ( - yobj['text'] + escape_for_html(yobj['text']) ) except: RESPONSE += ( diff --git a/testcode/BenchmarkTest00434.py b/testcode/BenchmarkTest00434.py index 04e83362..a75ae9b9 100644 --- a/testcode/BenchmarkTest00434.py +++ b/testcode/BenchmarkTest00434.py @@ -45,7 +45,7 @@ def BenchmarkTest00434_post(): yobj = yaml.safe_load(bar) RESPONSE += ( - yobj['text'] + escape_for_html(yobj['text']) ) except: RESPONSE += ( diff --git a/testcode/BenchmarkTest00435.py b/testcode/BenchmarkTest00435.py index b4f05001..6bb02e4e 100644 --- a/testcode/BenchmarkTest00435.py +++ b/testcode/BenchmarkTest00435.py @@ -44,7 +44,7 @@ def BenchmarkTest00435_post(): yobj = yaml.safe_load(bar) RESPONSE += ( - yobj['text'] + escape_for_html(yobj['text']) ) except: RESPONSE += ( diff --git a/testcode/BenchmarkTest00827.py b/testcode/BenchmarkTest00827.py index 67c5ceb0..286af442 100644 --- a/testcode/BenchmarkTest00827.py +++ b/testcode/BenchmarkTest00827.py @@ -43,7 +43,7 @@ def BenchmarkTest00827_post(): yobj = yaml.load(bar, Loader=yaml.Loader) RESPONSE += ( - yobj['text'] + escape_for_html(yobj['text']) ) except: RESPONSE += ( diff --git a/testcode/BenchmarkTest00828.py b/testcode/BenchmarkTest00828.py index c3962bc5..7efb7236 100644 --- a/testcode/BenchmarkTest00828.py +++ b/testcode/BenchmarkTest00828.py @@ -43,7 +43,7 @@ def BenchmarkTest00828_post(): yobj = yaml.safe_load(bar) RESPONSE += ( - yobj['text'] + escape_for_html(yobj['text']) ) except: RESPONSE += ( diff --git a/testcode/BenchmarkTest00904.py b/testcode/BenchmarkTest00904.py index 7b1ff10a..a0053bff 100644 --- a/testcode/BenchmarkTest00904.py +++ b/testcode/BenchmarkTest00904.py @@ -45,7 +45,7 @@ def BenchmarkTest00904_post(): yobj = yaml.safe_load(bar) RESPONSE += ( - yobj['text'] + escape_for_html(yobj['text']) ) except: RESPONSE += ( diff --git a/testcode/BenchmarkTest00994.py b/testcode/BenchmarkTest00994.py index 7173d181..ca0615e7 100644 --- a/testcode/BenchmarkTest00994.py +++ b/testcode/BenchmarkTest00994.py @@ -53,7 +53,7 @@ def BenchmarkTest00994_post(): yobj = yaml.load(bar, Loader=yaml.Loader) RESPONSE += ( - yobj['text'] + escape_for_html(yobj['text']) ) except: RESPONSE += ( diff --git a/testcode/BenchmarkTest00998.py b/testcode/BenchmarkTest00998.py index 6394f4b9..4b2e8b8f 100644 --- a/testcode/BenchmarkTest00998.py +++ b/testcode/BenchmarkTest00998.py @@ -51,7 +51,7 @@ def BenchmarkTest00998_post(): yobj = yaml.safe_load(bar) RESPONSE += ( - yobj['text'] + escape_for_html(yobj['text']) ) except: RESPONSE += ( From 250290a49282fcd6915534f146477da3b186187c Mon Sep 17 00:00:00 2001 From: Mike-Ki Date: Thu, 7 May 2026 17:36:10 +0200 Subject: [PATCH 2/2] Escape non-vuln cases to prevent false XSS hits These test cases are intended for deserialization coverage, not XSS. Escaping prevents them from being potentially incorrectly flagged as XSS vulns. --- testcode/BenchmarkTest00081.py | 2 +- testcode/BenchmarkTest00433.py | 2 +- testcode/BenchmarkTest00513.py | 2 +- testcode/BenchmarkTest00514.py | 2 +- testcode/BenchmarkTest00608.py | 2 +- testcode/BenchmarkTest00609.py | 2 +- testcode/BenchmarkTest00658.py | 2 +- testcode/BenchmarkTest00659.py | 2 +- testcode/BenchmarkTest00660.py | 2 +- testcode/BenchmarkTest00901.py | 2 +- testcode/BenchmarkTest00902.py | 2 +- testcode/BenchmarkTest00903.py | 2 +- testcode/BenchmarkTest00995.py | 2 +- testcode/BenchmarkTest00996.py | 2 +- testcode/BenchmarkTest00997.py | 2 +- testcode/BenchmarkTest00999.py | 2 +- testcode/BenchmarkTest01099.py | 2 +- testcode/BenchmarkTest01100.py | 2 +- testcode/BenchmarkTest01101.py | 2 +- testcode/BenchmarkTest01102.py | 2 +- testcode/BenchmarkTest01174.py | 2 +- testcode/BenchmarkTest01228.py | 2 +- 22 files changed, 22 insertions(+), 22 deletions(-) diff --git a/testcode/BenchmarkTest00081.py b/testcode/BenchmarkTest00081.py index e9c92b8e..395107f3 100644 --- a/testcode/BenchmarkTest00081.py +++ b/testcode/BenchmarkTest00081.py @@ -52,7 +52,7 @@ def BenchmarkTest00081_post(): yobj = yaml.safe_load(bar) RESPONSE += ( - yobj['text'] + escape_for_html(yobj['text']) ) except: RESPONSE += ( diff --git a/testcode/BenchmarkTest00433.py b/testcode/BenchmarkTest00433.py index 4b4b2a2d..0c5e00e4 100644 --- a/testcode/BenchmarkTest00433.py +++ b/testcode/BenchmarkTest00433.py @@ -46,7 +46,7 @@ def BenchmarkTest00433_post(): yobj = yaml.load(bar, Loader=yaml.Loader) RESPONSE += ( - yobj['text'] + escape_for_html(yobj['text']) ) except: RESPONSE += ( diff --git a/testcode/BenchmarkTest00513.py b/testcode/BenchmarkTest00513.py index 0179ac59..2e6630c6 100644 --- a/testcode/BenchmarkTest00513.py +++ b/testcode/BenchmarkTest00513.py @@ -45,7 +45,7 @@ def BenchmarkTest00513_post(): yobj = yaml.load(bar, Loader=yaml.Loader) RESPONSE += ( - yobj['text'] + escape_for_html(yobj['text']) ) except: RESPONSE += ( diff --git a/testcode/BenchmarkTest00514.py b/testcode/BenchmarkTest00514.py index c97904da..f08b0765 100644 --- a/testcode/BenchmarkTest00514.py +++ b/testcode/BenchmarkTest00514.py @@ -42,7 +42,7 @@ def BenchmarkTest00514_post(): yobj = yaml.safe_load(bar) RESPONSE += ( - yobj['text'] + escape_for_html(yobj['text']) ) except: RESPONSE += ( diff --git a/testcode/BenchmarkTest00608.py b/testcode/BenchmarkTest00608.py index 79c32e1f..5d7cf7a5 100644 --- a/testcode/BenchmarkTest00608.py +++ b/testcode/BenchmarkTest00608.py @@ -53,7 +53,7 @@ def BenchmarkTest00608_post(): yobj = yaml.load(bar, Loader=yaml.Loader) RESPONSE += ( - yobj['text'] + escape_for_html(yobj['text']) ) except: RESPONSE += ( diff --git a/testcode/BenchmarkTest00609.py b/testcode/BenchmarkTest00609.py index f7e288e1..c4fd9991 100644 --- a/testcode/BenchmarkTest00609.py +++ b/testcode/BenchmarkTest00609.py @@ -49,7 +49,7 @@ def BenchmarkTest00609_post(): yobj = yaml.safe_load(bar) RESPONSE += ( - yobj['text'] + escape_for_html(yobj['text']) ) except: RESPONSE += ( diff --git a/testcode/BenchmarkTest00658.py b/testcode/BenchmarkTest00658.py index b59bfef6..acfa1849 100644 --- a/testcode/BenchmarkTest00658.py +++ b/testcode/BenchmarkTest00658.py @@ -53,7 +53,7 @@ def BenchmarkTest00658_post(): yobj = yaml.load(bar, Loader=yaml.Loader) RESPONSE += ( - yobj['text'] + escape_for_html(yobj['text']) ) except: RESPONSE += ( diff --git a/testcode/BenchmarkTest00659.py b/testcode/BenchmarkTest00659.py index 9ee5e72d..096abbc0 100644 --- a/testcode/BenchmarkTest00659.py +++ b/testcode/BenchmarkTest00659.py @@ -49,7 +49,7 @@ def BenchmarkTest00659_post(): yobj = yaml.safe_load(bar) RESPONSE += ( - yobj['text'] + escape_for_html(yobj['text']) ) except: RESPONSE += ( diff --git a/testcode/BenchmarkTest00660.py b/testcode/BenchmarkTest00660.py index 273789e7..5a021de4 100644 --- a/testcode/BenchmarkTest00660.py +++ b/testcode/BenchmarkTest00660.py @@ -54,7 +54,7 @@ def BenchmarkTest00660_post(): yobj = yaml.safe_load(bar) RESPONSE += ( - yobj['text'] + escape_for_html(yobj['text']) ) except: RESPONSE += ( diff --git a/testcode/BenchmarkTest00901.py b/testcode/BenchmarkTest00901.py index f3a1ae9a..25151922 100644 --- a/testcode/BenchmarkTest00901.py +++ b/testcode/BenchmarkTest00901.py @@ -50,7 +50,7 @@ def BenchmarkTest00901_post(): yobj = yaml.safe_load(bar) RESPONSE += ( - yobj['text'] + escape_for_html(yobj['text']) ) except: RESPONSE += ( diff --git a/testcode/BenchmarkTest00902.py b/testcode/BenchmarkTest00902.py index 5c8ae437..788479cc 100644 --- a/testcode/BenchmarkTest00902.py +++ b/testcode/BenchmarkTest00902.py @@ -48,7 +48,7 @@ def BenchmarkTest00902_post(): yobj = yaml.safe_load(bar) RESPONSE += ( - yobj['text'] + escape_for_html(yobj['text']) ) except: RESPONSE += ( diff --git a/testcode/BenchmarkTest00903.py b/testcode/BenchmarkTest00903.py index f00a1c3f..b01066b2 100644 --- a/testcode/BenchmarkTest00903.py +++ b/testcode/BenchmarkTest00903.py @@ -50,7 +50,7 @@ def BenchmarkTest00903_post(): yobj = yaml.safe_load(bar) RESPONSE += ( - yobj['text'] + escape_for_html(yobj['text']) ) except: RESPONSE += ( diff --git a/testcode/BenchmarkTest00995.py b/testcode/BenchmarkTest00995.py index 724ca5f5..66d87e49 100644 --- a/testcode/BenchmarkTest00995.py +++ b/testcode/BenchmarkTest00995.py @@ -51,7 +51,7 @@ def BenchmarkTest00995_post(): yobj = yaml.load(bar, Loader=yaml.Loader) RESPONSE += ( - yobj['text'] + escape_for_html(yobj['text']) ) except: RESPONSE += ( diff --git a/testcode/BenchmarkTest00996.py b/testcode/BenchmarkTest00996.py index c4ac74de..d2bb2ac5 100644 --- a/testcode/BenchmarkTest00996.py +++ b/testcode/BenchmarkTest00996.py @@ -55,7 +55,7 @@ def BenchmarkTest00996_post(): yobj = yaml.safe_load(bar) RESPONSE += ( - yobj['text'] + escape_for_html(yobj['text']) ) except: RESPONSE += ( diff --git a/testcode/BenchmarkTest00997.py b/testcode/BenchmarkTest00997.py index bb809116..9cef1155 100644 --- a/testcode/BenchmarkTest00997.py +++ b/testcode/BenchmarkTest00997.py @@ -54,7 +54,7 @@ def BenchmarkTest00997_post(): yobj = yaml.safe_load(bar) RESPONSE += ( - yobj['text'] + escape_for_html(yobj['text']) ) except: RESPONSE += ( diff --git a/testcode/BenchmarkTest00999.py b/testcode/BenchmarkTest00999.py index ce7cf57c..1b1a0604 100644 --- a/testcode/BenchmarkTest00999.py +++ b/testcode/BenchmarkTest00999.py @@ -55,7 +55,7 @@ def BenchmarkTest00999_post(): yobj = yaml.safe_load(bar) RESPONSE += ( - yobj['text'] + escape_for_html(yobj['text']) ) except: RESPONSE += ( diff --git a/testcode/BenchmarkTest01099.py b/testcode/BenchmarkTest01099.py index 35a84936..3be2a52d 100644 --- a/testcode/BenchmarkTest01099.py +++ b/testcode/BenchmarkTest01099.py @@ -47,7 +47,7 @@ def BenchmarkTest01099_post(): yobj = yaml.load(bar, Loader=yaml.Loader) RESPONSE += ( - yobj['text'] + escape_for_html(yobj['text']) ) except: RESPONSE += ( diff --git a/testcode/BenchmarkTest01100.py b/testcode/BenchmarkTest01100.py index 72846d5c..a11f0444 100644 --- a/testcode/BenchmarkTest01100.py +++ b/testcode/BenchmarkTest01100.py @@ -48,7 +48,7 @@ def BenchmarkTest01100_post(): yobj = yaml.safe_load(bar) RESPONSE += ( - yobj['text'] + escape_for_html(yobj['text']) ) except: RESPONSE += ( diff --git a/testcode/BenchmarkTest01101.py b/testcode/BenchmarkTest01101.py index 5999746a..f7495a50 100644 --- a/testcode/BenchmarkTest01101.py +++ b/testcode/BenchmarkTest01101.py @@ -43,7 +43,7 @@ def BenchmarkTest01101_post(): yobj = yaml.safe_load(bar) RESPONSE += ( - yobj['text'] + escape_for_html(yobj['text']) ) except: RESPONSE += ( diff --git a/testcode/BenchmarkTest01102.py b/testcode/BenchmarkTest01102.py index e6a00045..a4fc4ded 100644 --- a/testcode/BenchmarkTest01102.py +++ b/testcode/BenchmarkTest01102.py @@ -48,7 +48,7 @@ def BenchmarkTest01102_post(): yobj = yaml.safe_load(bar) RESPONSE += ( - yobj['text'] + escape_for_html(yobj['text']) ) except: RESPONSE += ( diff --git a/testcode/BenchmarkTest01174.py b/testcode/BenchmarkTest01174.py index 94c9e4cb..c77b1229 100644 --- a/testcode/BenchmarkTest01174.py +++ b/testcode/BenchmarkTest01174.py @@ -51,7 +51,7 @@ def BenchmarkTest01174_post(): yobj = yaml.safe_load(bar) RESPONSE += ( - yobj['text'] + escape_for_html(yobj['text']) ) except: RESPONSE += ( diff --git a/testcode/BenchmarkTest01228.py b/testcode/BenchmarkTest01228.py index 81253ee2..859b3e6e 100644 --- a/testcode/BenchmarkTest01228.py +++ b/testcode/BenchmarkTest01228.py @@ -40,7 +40,7 @@ def BenchmarkTest01228_post(): yobj = yaml.safe_load(param) RESPONSE += ( - yobj['text'] + escape_for_html(yobj['text']) ) except: RESPONSE += (