Bug description
The flamegraph exporter in profiling.sampling embeds profile strings into the generated HTML without escaping:
-
_create_flamegraph_html writes json.dumps(data) into an inline <script> block. A function name containing </script> breaks out of the script element.
-
flamegraph.js interpolates the raw function name into a tooltip via .html() (innerHTML).
The sibling heatmap exporter already escapes its embedded data (html.escape(json.dumps(...))), and flamegraph.js already defines and uses escapeHtml() for displayName and source lines -- the function name was missed.
As a bonus, <lambda>, <module>, <genexpr> currently render as empty tooltip titles because the browser drops them as unknown tags. Escaping fixes this.
CPython versions tested on
main
Operating systems tested on
macOS
Linked PRs
Bug description
The flamegraph exporter in
profiling.samplingembeds profile strings into the generated HTML without escaping:_create_flamegraph_htmlwritesjson.dumps(data)into an inline<script>block. A function name containing</script>breaks out of the script element.flamegraph.jsinterpolates the raw function name into a tooltip via.html()(innerHTML).The sibling heatmap exporter already escapes its embedded data (
html.escape(json.dumps(...))), andflamegraph.jsalready defines and usesescapeHtml()fordisplayNameand source lines -- the function name was missed.As a bonus,
<lambda>,<module>,<genexpr>currently render as empty tooltip titles because the browser drops them as unknown tags. Escaping fixes this.CPython versions tested on
main
Operating systems tested on
macOS
Linked PRs