testssl.sh icon indicating copy to clipboard operation
testssl.sh copied to clipboard

Published 20 hours ago verified publisher icon drwetter

Add a way to style the HTML output

Open lightxx opened this issue 6 years ago • 6 comments

I'm heavily using your testssl.sh for automated server-testing. I'm post-processing the HTML output, and it would really be cool if you added some ids to the tags, or some classes that could be later on styled with CSS.

The styles you are using are removed when --color is set to 0, I don't know it this is the expected behavior. IMHO, just the console output should be un-colored when this flag is set.

lightxx avatar Oct 11 '18 07:10 lightxx

  1. IDs/classes: sounds like a plan ;-)

  2. --color: currently it's expected behavior

drwetter avatar Oct 11 '18 08:10 drwetter

@drwetter about --color: would it be a changable behaviour, or should one create a --html-color with the same definition as --color, that overrides the value set by --color?

klaernie avatar Feb 15 '21 11:02 klaernie

@klaernie : Not sure I fully understand you. --color currently has 4 values. They are fixed.

@dcooper16 a while back added a commit (PR #1518) which made the HTML colors more W3C compliant which brings the color topic a step forward.

It is planned to improve the terminal output too (PR #<somehwere>), as we don't take 256 bit colors into account and also don't modify the background colors.

drwetter avatar Feb 16 '21 10:02 drwetter

@drwetter I was wondering, if you would like to keep the current effect of --color on the html colors, or if the html colors should be configured completely isolated from ̀--color`.

From my viewpoint there should be:

  • --color as usual to determine the terminal coloring (and only that)
  • --html-css-file a .css stylesheet to include inline in the generated html
  • --html-css-ref a reference to a stylesheet, that will be included as <link rel=stylesheet href="..." /> (so it should be relative to the output file)
  • --no-html-css a flag that disabled the builtin stylesheet completely

In any cases I'd preface the user-provided stylesheet with our default stylesheet, so users usually only need to style what they'd like to change (except if they ask for --no-html-css).

This then would also allow users that run hundreds of the testssl runs and provide html reports via a webserver to reduce the html size and place the entire css externally, where it is well cached.

If you'd like I'll spend some time on these:

  • breaking the html colors into a stylesheet
  • outputting the stylesheet as part of the header, including --no-html-css
  • rewriting the html prints so they use the fresh classes
  • implementing the additional items --html-css-file and --html-css-ref

Do you think this design fits or would you do it another way?

klaernie avatar Mar 04 '21 09:03 klaernie

I am not in general opposed to an "external" style sheet. But by "external" I was cringing ;-) mostly bc of security. I do not like the fact that "external" is somewhere else. I see advantages though as the look and feel can be customized. But...

I was wondering, if you would like to keep the current effect of --color on the html colors, or if the html colors should be configured completely isolated from ̀--color`.

Currently they are similar, but not the same. Don't you think if they diverge completely wrt the screen that would lead to some confusion? And: why should "bad" be not red and "green" not good, unless one is colorblind?

drwetter avatar Mar 04 '21 18:03 drwetter

I am not in general opposed to an "external" style sheet. But by "external" I was cringing ;-) mostly bc of security. I do not like the fact that "external" is somewhere else. I see advantages though as the look and feel can be customized. But...

Okay, maybe I misworded the external part: external means just not included in the actual html file, yet I still expect that users will place the css directly next to the generated html, so no external as in "other machines" external, just not included in the html itself.

This usecase I myself do actually anticipate: I need to run scans of the entire network to verify security policies, so I will have to spend disk and network IO on serving the stylesheet with every html report if it is inlined, while I could rely on a browser-cached version for the people accessing the reports for 20 different scan targets.

I was wondering, if you would like to keep the current effect of --color on the html colors, or if the html colors should be configured completely isolated from ̀--color`.

Currently they are similar, but not the same. Don't you think if they diverge completely wrt the screen that would lead to some confusion? And: why should "bad" be not red and "green" not good, unless one is colorblind?

I was not actually talking about the colors themselves. I was talking about the - lets call them - color profiles:

  • no color at all
  • only b/w highlighting
  • default colors
  • default colors + colored ciphers

One might need a fully colored html, while simultaneously using only colorless terminal output. Others might need it the other way around.

The question at hand is: are you fine with the html colors being only controlled by the stylesheet, or should --color still have an effect on what is colored or not in the html?

klaernie avatar Mar 06 '21 22:03 klaernie