Sanitizes user inputs to prevent XSS

omursahin · omursahin · commit 110e6bc1eca7 · 2025-11-05T10:09:38.000+03:00
diff --git a/core-tests/e2e-tests/spring-rest-openapi-v2/src/main/java/com/foo/rest/examples/spring/endpointfocusandprefix/EndpointFocusAndPrefixRest.java b/core-tests/e2e-tests/spring-rest-openapi-v2/src/main/java/com/foo/rest/examples/spring/endpointfocusandprefix/EndpointFocusAndPrefixRest.java
@@ -9,6 +9,7 @@
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.util.HtmlUtils;
 
 import javax.ws.rs.core.MediaType;
 import java.util.Arrays;
@@ -154,7 +155,7 @@ public String placeOrder() {
     public String getUserByName(    @ApiParam("username to retrieve")
                                     @PathVariable("username")
                                     String name) {
-        return "Retrieved information for the user " + name;
+        return "Retrieved information for the user " + HtmlUtils.htmlEscape(String.valueOf(name));
     }
 
     @ApiOperation("Update information about a user")
@@ -167,7 +168,7 @@ public String updateUserInformation(
             @ApiParam("username to update")
             @PathVariable("username")
             String name) {
-        return "Updated information for the user " + name;
+        return "Updated information for the user " + HtmlUtils.htmlEscape(String.valueOf(name));
     }
 
     @ApiOperation("Delete information about a user")
@@ -180,7 +181,7 @@ public String deleteUserInformation(
             @ApiParam("username to delete")
             @PathVariable("username")
             String name) {
-        return "Deleted information for the user " + name;
+        return "Deleted information for the user " + HtmlUtils.htmlEscape(String.valueOf(name));
     }
 
     @ApiOperation("Create a new user")
@@ -207,10 +208,10 @@ public String createUserWithList(
         for(EndpointFocusAndPrefixRestDTO dto : userlist) {
 
             reportBuilder.append("-------\n");
-            reportBuilder.append("ID: ").append(dto.id).append("\n");
-            reportBuilder.append("Username: ").append(dto.userName).append("\n");
-            reportBuilder.append("Firstname: ").append(dto.firstName).append("\n");
-            reportBuilder.append("Lastname: ").append(dto.lastName).append("\n");
+            reportBuilder.append("ID: ").append(HtmlUtils.htmlEscape(String.valueOf(dto.id))).append("\n");
+            reportBuilder.append("Username: ").append(HtmlUtils.htmlEscape(dto.userName)).append("\n");
+            reportBuilder.append("Firstname: ").append(HtmlUtils.htmlEscape(dto.firstName)).append("\n");
+            reportBuilder.append("Lastname: ").append(HtmlUtils.htmlEscape(dto.lastName)).append("\n");
             reportBuilder.append("-------\n");
         }
         String report = reportBuilder.toString();
diff --git a/core-tests/e2e-tests/spring-rest-openapi-v2/src/test/java/org/evomaster/e2etests/spring/examples/endpointfocusandprefix/EndpointFocusAndPrefixTest.java b/core-tests/e2e-tests/spring-rest-openapi-v2/src/test/java/org/evomaster/e2etests/spring/examples/endpointfocusandprefix/EndpointFocusAndPrefixTest.java
@@ -255,7 +255,7 @@ public void testRunBlackboxWithPrefixWithoutParameters() throws Throwable {
                     assertAllSolutionsHavePathFocusOrPrefixList(solution, pathsToCheck, false);
 
                     // The solution should include 8 solutions, 7 endpoints and 1 failure case
-                    assertEquals(solution.getIndividuals().size(), 8);
+                    assertEquals(8, solution.getIndividuals().size());
 
                     // write test into the output folder
                     compile(outputFolder);
