You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Within the format_word_importances function, the word variable is not being properly escaped before being incorporated into the HTML template. This oversight could potentially result in incorrect visualization outputs or even present a security vulnerability if untrusted input is used. Below, I provide two examples to demonstrate these issues:
the fix for this issue is straightforward—by implementing proper escaping for the word variable. Just modify the line 829.
word=format_special_tokens(word)
->
importhtmlword=html.escape(word)
# word = html.escape(format_special_tokens(word)) # if you want to keep the format_special_tokens function
The text was updated successfully, but these errors were encountered:
peiyangL
changed the title
Bug in Text Visualization Code - Improper Escaping Leading to Incorrect Visualization and Security Issues
Bug in Text Visualization Code
Dec 23, 2023
Overview
The affected code snippet can be found here: https://github.com/pytorch/captum/blob/master/captum/attr/_utils/visualization.py#L829-L836
Within the
format_word_importances
function, theword
variable is not being properly escaped before being incorporated into the HTML template. This oversight could potentially result in incorrect visualization outputs or even present a security vulnerability if untrusted input is used. Below, I provide two examples to demonstrate these issues:To Reproduce
Case 1: Commented-out User Input
The last four words are not displayed correctly.
Case 2: Cross-Site Scripting (XSS) in a Jupyter Environment
Solution
the fix for this issue is straightforward—by implementing proper escaping for the word variable. Just modify the line 829.
->
The text was updated successfully, but these errors were encountered: