Update HTML tag parsing to work with Acunetix 360

CHANGELOG.md

@@ -1,3 +1,6 @@
+v4.16.0 (Month 2025)
+  - Update HTML tag parsing for Acunetix 360
+
 v4.15.0 (December 2024)
   - No changes
 

lib/acunetix/concerns/cleanup.rb

@@ -8,32 +8,34 @@ def cleanup_html(source)
 
       format_table(result)
 
-      result.gsub!(/"/, '"')
-      result.gsub!(/&/, '&')
-      result.gsub!(/&lt;/, '<')
-      result.gsub!(/&gt;/, '>')
-
       result.gsub!(/<h[0-9] >(.*?)<\/h[0-9]>/) { "\n\n*#{$1.strip}*\n\n" }
       result.gsub!(/<b>(.*?)<\/b>/) { "*#{$1.strip}*" }
-      result.gsub!(/<br\/>/, "\n")
+      result.gsub!(/<br ?\/>/, "\n")
       result.gsub!(/<div(.*?)>|<\/div>/, '')
+      result.gsub!(/<span.*?>(.*?)<\/span>/m){"#{$1.strip}"}
+      result.gsub!(/<span.*?>|<\/span>/, '') #repeating again to deal with nested/empty/incomplete span tags
+
+      result.gsub!(/<a(.*?)href='(.*?)'><i(.*?)><\/i>(.*?)<\/a>/m) { "\"#{$4}\":#{$2}" }
       result.gsub!(/<a.*?>(.*?)<\/a>/m, '\1')
       result.gsub!(/<font.*?>(.*?)<\/font>/m, '\1')
       result.gsub!(/<h2>(.*?)<\/h2>/) { "*#{$1.strip}*" }
       result.gsub!(/<i>(.*?)<\/i>/, '\1')
-      result.gsub!(/<p.*?>(.*?)<\/p>/) { "\np. #{$1.strip}\n" }
-      result.gsub!(/<code><pre.*?>(.*?)<\/pre><\/code>/m){|m| "\n\nbc.. #{$1.strip}\n\np.  \n" }
-      result.gsub!(/<code>(.*?)<\/code>/) { "@#{$1.strip}@" }
-      result.gsub!(/<pre.*?>(.*?)<\/pre>/m){|m| "\n\nbc.. #{$1.strip}\n\np.  \n" }
-
-      result.gsub!(/<li.*?>([\s\S]*?)<\/li>/m){"\n* #{$1.strip}"}
-      result.gsub!(/<ul>([\s\S]*?)<\/ul>/m){ "#{$1.strip}\n" }
+      result.gsub!(/<em>(.*?)<\/em>/) { "_#{$1.strip}_" }
+      result.gsub!(/<p.*?>(.*?)<\/p>/) { "p. #{$1.strip}\n\n" }
+      result.gsub!(/<code><pre.*?>(.*?)<\/pre><\/code>/m){|m| "\n\nbc.. #{$1}\n\np. \n" }
+      result.gsub!(/<code>(.*?)<\/code>/) {  "\n\nbc. #{$1}\n\n" }
+      result.gsub!(/<pre.*?>(.*?)<\/pre>/) { "\n\nbc. #{$1}\n\n" }
+      result.gsub!(/<pre.*?>(.*?)<\/pre>/m){|m| "\n\nbc.. #{$1}\n\np. \n" }
+
+      result.gsub!(/<li.*?>([\s\S]*?)<\/li>/m){"\n* #{$1}"}
+      result.gsub!(/<ul>([\s\S]*?)<\/ul>/m){ "#{$1}\n" }
       result.gsub!(/(<ul>)|(<\/ul>|(<ol>)|(<\/ol>))/, "\n")
-      result.gsub!(/<li>/, "\n* ")
-      result.gsub!(/<\/li>/, "\n")
+      result.gsub!(/<strong>(.*?)<\/strong>/m) { "*#{$1}*" }
 
-      result.gsub!(/<strong>(.*?)<\/strong>/) { "*#{$1.strip}*" }
-      result.gsub!(/<span.*?>(.*?)<\/span>/m){"#{$1.strip}\n"}
+      result.gsub!(/&quot;/, '"')
+      result.gsub!(/&amp;/, '&')
+      result.gsub!(/&lt;/, '<')
+      result.gsub!(/&gt;/, '>')
 
       result
     end
@@ -68,7 +70,7 @@ def format_table(str)
 
     # Some of the values have embedded HTML conent that we need to strip
     def tags_with_html_content
-      [:details, :description, :detailed_information, :impact, :recommendation]
+      [:details, :description, :detailed_information, :impact, :recommendation, :remedial_actions, :remedial_procedure, :external_references]
     end
 
     def tags_with_commas

lib/dradis/plugins/acunetix/mapping.rb

@@ -60,7 +60,10 @@ module Mapping
         'CVSS3Vector' => '{{ acunetix[vulnerability_360.cvss31_vector] }}',
         'CVSS3Base' => '{{ acunetix[vulnerability_360.cvss31_base] }}',
         'CVSS3Temporal' => '{{ acunetix[vulnerability_360.cvss31_temporal] }}',
-        'CVSS3Environmental' => '{{ acunetix[vulnerability_360.cvss31_environmental] }}'
+        'CVSS3Environmental' => '{{ acunetix[vulnerability_360.cvss31_environmental] }}',
+        'Remedial Actions' => '{{ acunetix[vulnerability_360.remedial_actions] }}',
+        'Remedial Procedure' => '{{ acunetix[vulnerability_360.remedial_procedure] }}',
+        'References' => '{{ acunetix[vulnerability_360.external_references] }}',
       }
     }.freeze
 

spec/acunetix/acunetix360/importer_spec.rb

@@ -57,5 +57,15 @@ def run_import!
 
       run_import!
     end
+
+    it 'parses links in <external-references> tag' do
+      expect(@content_service).to receive(:create_issue) do |args|
+        expect(args[:text]).to include('"Blind SQL Injection":https://www.owasp.org/index.php/Blind_SQL_Injection')
+        expect(args[:text]).to include('"SQL Injection Cheat Sheet[#Blind]":https://www.acunetix.com/blog/web-security/sql-injection-cheat-sheet/#BlindSQLInjections')
+        OpenStruct.new(args)
+      end
+
+      run_import!
+    end
   end
 end