Skip to content

[tfjs-vis] Escape HTML in heatmap tooltip labels #8717

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
f0r wants to merge 1 commit into
base: master
Choose a base branch
from
+35 −3
Open

[tfjs-vis] Escape HTML in heatmap tooltip labels #8717

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 18 additions & 2 deletions tfjs-vis/src/render/heatmap.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,19 @@ import {assert} from '../util/utils';

import {getDrawArea} from './render_utils';

/**
* Escapes HTML-significant characters so a string is rendered as text rather
* than markup. Mirrors vega-tooltip's default `escapeHTML` sanitizer, which is
* bypassed whenever a custom `sanitize` function is supplied to the tooltip.
*/
export function escapeHTML(value: string): string {
return value.replace(/&/g, '&')
.replace(/</g, '&lt;')
.replace(/>/g, '&gt;')
.replace(/"/g, '&quot;')
.replace(/'/g, '&#39;');
}

/**
* Renders a heatmap.
*
Expand Down Expand Up @@ -209,8 +222,11 @@ export async function heatmap(
//@ts-ignore
embedOpts.tooltip = {
sanitize: (value: string|number) => {
const valueString = String(value);
return valueString.replace(suffixRegex, '');
// Strip the internal index suffix, then re-apply the HTML escaping
// that vega-tooltip performs by default. Supplying a custom `sanitize`
// bypasses that default, so without this, tick-label strings would be
// interpreted as HTML in the tooltip.
return escapeHTML(String(value).replace(suffixRegex, ''));
}
};
}
Expand Down
18 changes: 17 additions & 1 deletion tfjs-vis/src/render/heatmap_test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ import * as tf from '@tensorflow/tfjs-core';

import {HeatmapData} from '../types';

import {heatmap} from './heatmap';
import {escapeHTML, heatmap} from './heatmap';

describe('renderHeatmap', () => {
let pixelRatio: number;
Expand Down Expand Up @@ -223,3 +223,19 @@ describe('renderHeatmap', () => {
expect(threw).toBe(true);
});
});

describe('escapeHTML', () => {
it('escapes HTML-significant characters', () => {
expect(escapeHTML('<img src=x onerror="alert(1)">'))
.toEqual(
'&lt;img src=x onerror=&quot;alert(1)&quot;&gt;');
});

it('escapes ampersands before other entities', () => {
expect(escapeHTML('a & b < c')).toEqual('a &amp; b &lt; c');
});

it('leaves plain tick labels unchanged', () => {
expect(escapeHTML('alpha')).toEqual('alpha');
});
});