Potential fix for code scanning alert no. 560: Cross-site scripting

[ravirk91]

Potential fix for https://github.com/Ginger-Automation/Ginger/security/code-scanning/560

To fix this safely without changing functionality, encode the user-provided JSON string for HTML before packaging it into outbound content, so potentially executable markup characters are neutralized if the payload is ever rendered in an HTML context downstream. Since the recommendation explicitly points to System.Net.WebUtility, use WebUtility.HtmlEncode(...) on the finalized body right before constructing StringContent.

Best concrete change:

• File: Ginger/GingerCoreNET/External/WireMock/WireMockAPI.cs
• Method: CreateStubAsync(...)
• Keep current JSON parse/normalization logic.
• Add using System.Net;.
• Replace new StringContent(body, Encoding.UTF8, contentType) with new StringContent(WebUtility.HtmlEncode(body), Encoding.UTF8, contentType).

This is minimal, localized, and does not alter control flow or error handling.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

Summary by CodeRabbit

• Bug Fixes
  • Improved request payload handling to properly encode special characters when transmitting stub mappings, ensuring data integrity during API communication.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 1c25084d-1ce0-4890-8aff-1ccea15b5321

📥 Commits

Reviewing files that changed from the base of the PR and between 29052ac and d4efe11.

📒 Files selected for processing (1)

• Ginger/GingerCoreNET/External/WireMock/WireMockAPI.cs

---

Walkthrough

The PR modifies WireMockAPI.CreateStubAsync to HTML-encode the request payload before constructing and posting it to the WireMock mappings endpoint. The change affects how the stub mapping is transmitted while maintaining existing control flow and error handling.

Changes

Cohort / File(s)	Summary
WireMock Payload Encoding Ginger/GingerCoreNET/External/WireMock/WireMockAPI.cs	HTML-encodes the request body parameter before constructing StringContent for the WireMock endpoint POST request.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• Improve JSON handling and HTML encoding in API helpers #4489: Modifies the same WireMockAPI.CreateStubAsync method but implements different payload-handling via JSON-aware GetRawText()/serialization approach instead of HTML encoding.

Poem

🐰 Hop along with HTML escapes so fine,
Ampersands dancing in each payload line,
WireMock mappings dressed up clean,
The prettiest stubs we've ever seen! ✨

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch alert-autofix-560

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 60 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 complexity

Metric	Results
Complexity	0

View in Codacy

_{NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.}