"""Tests for the HTML session export renderer."""
from hermes_cli.session_export_html import (
_generate_messages_html,
generate_multi_session_html_export,
)
def test_tool_call_name_is_escaped():
"""A tool-call name is attacker-influenced (a prompt-injected model can emit
an arbitrary name), so it must be HTML-escaped like every sibling field."""
payload = '
'
html = _generate_messages_html([
{
"role": "assistant",
"content": "",
"tool_calls": [
{
"id": "call_1",
"type": "function",
"function": {"name": payload, "arguments": "{}"},
}
],
}
])
assert payload not in html
assert "<img src=x onerror=" in html
def test_tool_call_arguments_stay_escaped():
html = _generate_messages_html([
{
"role": "assistant",
"content": "",
"tool_calls": [
{
"id": "call_1",
"type": "function",
"function": {"name": "terminal", "arguments": "x"},
}
],
}
])
assert "<b>x</b>" in html
assert "x" not in html
def test_multi_session_export_keeps_switcher_script():
"""The multi-session export drives session switching with an inline script,
so the escaping fix must not remove or block that script."""
sessions = [
{"id": "aaaa1111", "title": "First", "started_at": 0,
"messages": [{"role": "user", "content": "one"}]},
{"id": "bbbb2222", "title": "Second", "started_at": 0,
"messages": [{"role": "user", "content": "two"}]},
]
html = generate_multi_session_html_export(sessions)
assert "function showSession" in html
assert 'data-id="aaaa1111"' in html
assert 'id="view-bbbb2222"' in html