Fix XSS in rendered report: HTML-escape user-controlled reportLanguage (via #3337)

Author: grootstebozewolf

allure-generator/src/main/resources/tpl/index.html.ftl

@@ -10,7 +10,7 @@
 <#-- @ftlvariable name="reportName" type="java.lang.String" -->
 <#-- @ftlvariable name="reportLanguage" type="java.lang.String" -->
 <!DOCTYPE html>
-<html dir="ltr" lang="${reportLanguage!"en"}">
+<html dir="ltr" lang="${(reportLanguage!"en")?html}">
 <head>
     <meta charset="utf-8">
     <meta name="allure-report-uuid" content="${reportUuid}">

allure-generator/src/test/java/io/qameta/allure/core/ReportWebGeneratorTest.java

@@ -104,6 +104,29 @@ void shouldEscapeHtmlInReportName(@TempDir final Path tempDirectory) {
                 .doesNotContain(hostile);
     }
 
+    /**
+     * Verifies that a hostile {@code reportLanguage} containing live HTML
+     * cannot escape the {@code lang} attribute on the root {@code <html>} tag.
+     */
+    @Description
+    @Test
+    void shouldEscapeHtmlInReportLanguage(@TempDir final Path tempDirectory) {
+        final String hostile = "en\"><script>alert('xss')</script>";
+        final Configuration configuration = ConfigurationBuilder.empty()
+                .withReportLanguage(hostile)
+                .build();
+        final InMemoryReportStorage reportStorage = new InMemoryReportStorage();
+        generateReport(configuration, reportStorage, tempDirectory);
+
+        final Path indexHtml = tempDirectory.resolve("index.html");
+
+        assertThat(indexHtml)
+                .isRegularFile()
+                .content(StandardCharsets.UTF_8)
+                .as("hostile reportLanguage must not break out of the lang attribute")
+                .doesNotContain(hostile);
+    }
+
     /**
      * Verifies setting language for web report generation.
      */