HTML content in test report is not escaped properly in VItest UI

[BlankParticle]

Describe the bug

I have a few tests that compares HTML content. It shows the HTML diff as needed in console. But the HTML content is not not escaped and renders as html instead of text. This allows one to arbitrarily inject any html element in the web reporter.

Personally, I don't think executing arbitrary script in vitest web ui is any big deal, but its annoying while trying to see the errors.

Reproduction

The reproduction is at https://stackblitz.com/edit/vitest-dev-vitest-fgckzr?file=test%2Fhtml.test.ts&initialPath=__vitest__/

for the script and style to be injected, open the first test fail report

It should apply a green border to everything and show an alert

System Info

System:
    OS: Linux 6.6 Pop!_OS 22.04 LTS
    CPU: (8) x64 AMD Ryzen 5 3500U with Radeon Vega Mobile Gfx
    Memory: 2.14 GB / 5.66 GB
    Container: Yes
    Shell: 5.8.1 - /bin/zsh
  Binaries:
    Node: 20.11.1 - ~/.local/share/pnpm/node
    npm: 10.2.4 - ~/.local/share/pnpm/npm
    pnpm: 8.15.4 - ~/.local/share/pnpm/pnpm
    bun: 1.0.29 - ~/.bun/bin/bun
  Browsers:
    Chrome: 122.0.6261.94
  npmPackages:
    @vitest/ui: ^1.3.1 => 1.3.1 
    vitest: ^1.3.1 => 1.3.1

Used Package Manager

pnpm

Validations

• Follow our Code of Conduct
• Read the Contributing Guidelines.
• Read the docs.
• Check that there isn't already an issue that reports the same bug to avoid creating a duplicate.
• Check that this is a concrete bug. For Q&A open a GitHub Discussion or join our Discord Chat Server.
• The provided reproduction is a minimal reproducible example of the bug.

[hi-ogawa]

Oh, you got a nice reproduction. I thought html escape issue is fixed by #4724, but maybe it's missing for diff output.