Skip to content

Security: Missing Input Validation in display_image_grid#691

Open
tuanaiseo wants to merge 1 commit into
OpenPipe:mainfrom
tuanaiseo:contribai/fix/security/missing-input-validation-in-display-imag
Open

Security: Missing Input Validation in display_image_grid#691
tuanaiseo wants to merge 1 commit into
OpenPipe:mainfrom
tuanaiseo:contribai/fix/security/missing-input-validation-in-display-imag

Conversation

@tuanaiseo
Copy link
Copy Markdown

@tuanaiseo tuanaiseo commented May 21, 2026

Problem

The display_image_grid function in src/art/utils/old_benchmarking/display_image_grid.py constructs HTML by directly interpolating image_paths into an HTML string without sanitization. If image_paths contains malicious input, it could lead to XSS in Jupyter notebook environments.

Severity: medium
File: src/art/utils/old_benchmarking/display_image_grid.py

Solution

Escape or sanitize image_paths before embedding in HTML. Use html.escape() on path strings or use a proper templating engine with auto-escaping. Validate that paths are actual file paths and do not contain HTML/JavaScript.

Changes

  • src/art/utils/old_benchmarking/display_image_grid.py (modified)

Testing

  • Existing tests pass
  • Manual review completed
  • No new warnings/errors introduced

@tuanaiseo
fix(security)(art): missing input validation in display_image_grid
555f2b8 
The display_image_grid function in src/art/utils/old_benchmarking/display_image_grid.py constructs HTML by directly interpolating image_paths into an HTML string without sanitization. If image_paths contains malicious input, it could lead to XSS in Jupyter notebook environments.

Affected files: display_image_grid.py

Signed-off-by: tuanaiseo <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tuanaiseo