Fix XSS in rendered report: HTML-escape user-controlled reportName (via #3334)

Author: grootstebozewolf

allure-generator/src/main/resources/tpl/index.html.ftl

@@ -14,7 +14,7 @@
 <head>
     <meta charset="utf-8">
     <meta name="allure-report-uuid" content="${reportUuid}">
-    <title>${reportName!"Allure Report"}</title>
+    <title>${(reportName!"Allure Report")?html}</title>
     <link rel="icon" href="${faviconUrl}">
     <!-- allure-core-head:start -->
     <#list coreStyleUrls as styleUrl>

allure-generator/src/test/java/io/qameta/allure/core/ReportWebGeneratorTest.java

@@ -81,6 +81,29 @@ void shouldDisableAnalytics(@TempDir final Path tempDirectory) {
                 .doesNotContain("dataLayer");
     }
 
+    /**
+     * Verifies that a hostile {@code reportName} containing live HTML / JS
+     * is HTML-escaped rather than rendered raw into the {@code <title>} tag.
+     */
+    @Description
+    @Test
+    void shouldEscapeHtmlInReportName(@TempDir final Path tempDirectory) {
+        final String hostile = "<script>alert('xss')</script>";
+        final Configuration configuration = ConfigurationBuilder.empty()
+                .withReportName(hostile)
+                .build();
+        final InMemoryReportStorage reportStorage = new InMemoryReportStorage();
+        generateReport(configuration, reportStorage, tempDirectory);
+
+        final Path indexHtml = tempDirectory.resolve("index.html");
+
+        assertThat(indexHtml)
+                .isRegularFile()
+                .content(StandardCharsets.UTF_8)
+                .as("hostile reportName must not appear as live HTML in the generated report")
+                .doesNotContain(hostile);
+    }
+
     /**
      * Verifies setting language for web report generation.
      */