Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mixed output causes httpie to preprocess it incorrectly #1620

Open
2 tasks done
danbulant opened this issue Mar 8, 2025 · 0 comments
Open
2 tasks done

Mixed output causes httpie to preprocess it incorrectly #1620

danbulant opened this issue Mar 8, 2025 · 0 comments
Labels
bug Something isn't working new Needs triage. Comments are welcome!

Comments

@danbulant
Copy link

danbulant commented Mar 8, 2025
edited
Loading

Checklist

  • I've searched for similar issues.
  • I'm using the latest version of HTTPie.

Minimal reproduction code and steps

  1. Create a request to a service that returns mime type text/html with json body and escaped html inside a string
  2. Observe the HTML getting highlighted and characters converted to their unescaped versions
  3. Compare with piping to cat to remove preprocessing, where the characters are left as they are

Current result

For example, proxy dns.google but set it's return content-type to text/html (proxy_pass https://dns.google; add_header Content-Type text/html always; in nginx).

http "http://localhost/resolve?name=example.com%3Cscript%3Ealert(1)%3C%2Fscript%3E" -v | cat
GET /resolve?name=example.com%3Cscript%3Ealert(1)%3C%2Fscript%3E HTTP/1.1
Accept-Encoding: gzip, deflate, br
Accept: */*
Connection: keep-alive
User-Agent: HTTPie/3.2.4
Host: dns.google

HTTP/1.1 200 OK
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Access-Control-Allow-Origin: *
Date: Sat, 08 Mar 2025 11:22:11 GMT
Expires: Sat, 08 Mar 2025 11:22:11 GMT
Cache-Control: private, max-age=86399
Content-Type: text/html; charset=UTF-8
Content-Encoding: gzip
Server: HTTP server (unknown)
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Transfer-Encoding: chunked

{"Status":3,"TC":false,"RD":true,"RA":true,"AD":true,"CD":false,"Question":[{"name":"example.com\u003cscript\u003ealert(1)\u003c/script\u003e.","type":1}],"Authority":[{"name":".","type":6,"TTL":86399,"data":"a.root-servers.net. nstld.verisign-grs.com. 2025030800 1800 900 604800 86400"}]}

is the raw code, but without |cat gets rendered as

{
    "AD": true,
    "Authority": [
        {
            "TTL": 86397,
            "data": "a.root-servers.net. nstld.verisign-grs.com. 2025030800 1800 900 604800 86400",
            "name": ".",
            "type": 6
        }
    ],
    "CD": false,
    "Question": [
        {
            "name": "example.com<script>alert(1)</script>.",
            "type": 1
        }
    ],
    "RA": true,
    "RD": true,
    "Status": 3,
    "TC": false
}

which is incorrect and can be confusing

Expected result

Same as |cat output as there's no real HTML to prettify

Additional information, screenshots, or code examples

Image
@danbulant danbulant added bug Something isn't working new Needs triage. Comments are welcome! labels Mar 8, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working new Needs triage. Comments are welcome!
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@danbulant