Bug in XML-escaping in JUnit reporters


This is a follow up from information I shared with on Slack.

My test runner file is thus:


When I run my tests in the browser I get this:


When I look at the source, I see the XML is truncated just before an accented character in the string it's trying to output, eg:

This is a truncation of "portuguese (são tomé & príncipe)", which is from my server.coldfusion.supportedlocales value, which - for some reason I do not know - is being included in the output XML.

If I look at the raw request, the whole "XML" is being returned, but it's banjaxed where those accented characters are:


Please note that the “ã” in “são” doesn’t have the accent here because I am running a version of the reporter that has already “fixed” “ã”; I just commented-out the fix for “í” so as to demo the issue to you. All accented characters give the problem.


I can circumvent the issue if I remove accented characters from the string before xmlFormat-ing it, eg:

(from https://github.com/Ortus-Solutions/TestBox/blame/development/system/reports/JUnitReporter.cfc#L206 ).

I cannot reproduce this in isolation with this code:


I am running this on Lucee, using their Docker container.

AntJUnitReporter has the same issue.

Sorry I cannot tie-down any better what's going on.

If/when you address this, can I recommend you additionally cut out anything from the XML that is not directly required by the JUnit XML format? There's absolutely no need for all the bloat that is being included here, and this in turn is causing you the problem.

It's great that you include the reporters for JUnit consumers and Ant, but I think the ones you ship should be the minimum to be useful, and if someone wants to include meta information along with the results, they can implement their own reporter which extends this and override the relevant methods to add the extra stuff they want.

Can I also recommend you don't use xmlFormat for this sort of thing as it's known to be incomplete/naive; the zeitgeist is (was?) to use OWASP's encoding methods (eg: ). ColdFusion has native support for these; I note Lucee does not. UPDATE: Lucee (and CF) do both support though.

From my perspective there is no urgency on this and it is not causing me a practical problem. I was just "testing TestBox" when I came across it.

Cheers and keep up the good work!


Luis Majano
April 22, 2021, 2:04 PM

Thanks for this ticket. I have to say that I have had this issue as of late when integrating with Gitlab and the issue lies on the addition of server env properties like you mention. When I created this, I was like, hmm, let’s add as much data as possible, in case we need it.

At this point, I don’t see it the same. Less is more sometimes.

Thus, I will be removing some of the scope data that doesn’t really need to be there as well.

Your pinned fields
Click on the next to a field label to start pinning.


Luis Majano


Adam Cameron