Regex literal in Hurl files are not escaped when exported to HTML, allowing injections

Given this Hurl file:

regex.hurl:

GET https://foo.com
HTTP 200
[Asserts]
jsonpath "$.body" matches /<img src="" onerror="alert('Hi!')">/

When exported to HTML:

$ hurlfmt --out html regex.hurl
<pre><code class="language-hurl"><span class="hurl-entry"><span class="request"><span class="line"><span class="method">GET</span> <span class="url">https://foo.com</span></span>
</span><span class="response"><span class="line"><span class="version">HTTP</span> <span class="number">200</span></span>
<span class="line"><span class="section-header">[Asserts]</span></span>
<span class="line"><span class="query-type">jsonpath</span> <span class="string">"$.body"</span> <span class="predicate-type">matches</span> <span class="regex">/<img src="" onerror="alert('Hi!')">/</span></span>
</span></span><span class="line"></span>
</code></pre>

The regex literal /<img src="" onerror="alert('Hi!')">/ is not escaped:

<span class="regex">/<img src="" onerror="alert('Hi!')">/</span></span>

When opened in a browser, the code is run without user interaction:

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Regex literal in Hurl files are not escaped when exported to HTML, allowing injections

Package

Affected versions

Patched versions

Description

Severity

CVE ID

Weaknesses