Skip to content

fix: do not inject into commented-out head/body/html tags#34283

Open
chang-pro wants to merge 2 commits into
cypress-io:developfrom
chang-pro:fix-rewriter-commented-head-injection
Open

fix: do not inject into commented-out head/body/html tags#34283
chang-pro wants to merge 2 commits into
cypress-io:developfrom
chang-pro:fix-rewriter-commented-head-injection

Conversation

@chang-pro

Copy link
Copy Markdown

Additional details

The proxy's html rewriter picks its injection point by running headRe/bodyRe/htmlRe/doctypeRe over the raw response body, so a <head> inside an HTML comment becomes the injection target: the Cypress script lands inside the comment and a stray real <head></head> gets emitted, corrupting the page.

Instead of trying to make each regex comment-aware (the direction previous attempts took), the rewriter now masks comment ranges with same-length whitespace, matches against the masked copy, and splices into the original string by index (the insert helpers only use match.index/match[0].length, which stay aligned). An unterminated <!-- masks to the end of the document, matching how browsers treat it. The data-cy-bootstrap path is unchanged.

Steps to test

Run the spec from the issue:

cy.intercept('/app', { body: '<html><!-- <head><title>Test</title></head> --></html>' })
cy.visit('/app')

The comment now survives untouched and the injection lands in a real <head> placed after <html>. Unit coverage: packages/proxy/test/unit/http/util/rewriter.spec.ts (3 new specs covering commented head, commented body before a real body, and an unterminated comment; all 3 fail without the fix, 6/6 pass with it).

How has the user experience changed?

Pages containing commented-out <head>/<body>/<html> tags are no longer corrupted by the proxy. Before/after of the served HTML for the issue's repro:

Before: <html><!-- <head> <script>CYPRESS_INJECTION()</script><title>Test</title></head> --><head> </head></html>
After: <html> <head> <script>CYPRESS_INJECTION()</script> </head><!-- <head><title>Test</title></head> --></html>

PR Tasks

The proxy html rewriter picked its injection point with regexes over
the raw response body, so a <head> (or <body>/<html>/<!doctype>) inside
an HTML comment became the injection target and the served page got
corrupted. Search a comment-masked copy of the html instead and splice
into the original by index. Fixes cypress-io#33000
Copilot AI review requested due to automatic review settings July 12, 2026 18:15

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

@CLAassistant

CLAassistant commented Jul 12, 2026

Copy link
Copy Markdown

CLA assistant check
All committers have signed the CLA.

@cypress-app-bot

Copy link
Copy Markdown
Collaborator

…masking quote-aware

The data-cy-bootstrap search ran before comment masking, so a
commented-out bootstrap script swallowed the injection. The comment
masker also treated <!-- inside a quoted attribute value as a comment
opener and did not recognize abrupt (<!-->) or --!> closings, blanking
the rest of the document and dropping real head attributes. Masking now
uses a small tag/quote-aware scanner and the bootstrap search runs on
the masked copy, splicing the original html by index.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

commented HTML code prevents packages/proxy/lib/http/util/rewriter.ts from working properly

4 participants