Escape HTML characters in repr_utils.py.

PiperOrigin-RevId: 665673426
techthiyanes · Aug 21, 2024 · 2834285 · 2834285
1 parent 4e552fd
commit 2834285
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 2 deletions.
diff --git a/langfun/core/repr_utils.py b/langfun/core/repr_utils.py
@@ -15,6 +15,7 @@
 
 import collections
 import contextlib
+import html
 import io
 from typing import Any, Callable, Iterator
 
@@ -126,7 +127,7 @@ def html_repr(
     if hasattr(v, '_repr_html_'):
       cs = v._repr_html_()  # pylint: disable=protected-access
     else:
-      cs = f'<span style="white-space: pre-wrap">{str(v)}</span>'
+      cs = f'<span style="white-space: pre-wrap">{html.escape(str(v))}</span>'
 
     key_color, key_bg_color, value_color, value_bg_color = item_color(k, v)
     key_span = html_round_text(

diff --git a/langfun/core/repr_utils_test.py b/langfun/core/repr_utils_test.py
@@ -63,9 +63,12 @@ def test_html_repr(self):
     class Foo(pg.Object):
       x: int
 
-    html = repr_utils.html_repr({'foo': pg.Ref(Foo(1))})
+    html = repr_utils.html_repr(
+        {'foo': pg.Ref(Foo(1)), 'bar': '<lf_image>'}
+    )
     self.assertIn('foo</span>', html)
     self.assertNotIn('Ref', html)
+    self.assertIn('&lt;lf_image&gt;', html)
 
 
 if __name__ == '__main__':