Skip to content

fix(skill-creator): escape eval viewer attributes#1399

Open
ebbsanchez wants to merge 1 commit into
anthropics:mainfrom
ebbsanchez:fix/eval-viewer-escape-attribute
Open

fix(skill-creator): escape eval viewer attributes#1399
ebbsanchez wants to merge 1 commit into
anthropics:mainfrom
ebbsanchez:fix/eval-viewer-escape-attribute

Conversation

@ebbsanchez

Copy link
Copy Markdown

Fixes #1394.

Summary

  • make the eval viewer escaping helper encode quotes in addition to &, <, and >
  • route benchmark metadata and config labels through the escaping helper before assigning generated markup via innerHTML
  • apply the same escaping helper update to the trigger eval review asset

Verification

  • git diff --check
  • local string harness with the issue payload x" onmouseover="alert(document.domain) confirmed the tooltip source keeps the quote as &quot;, so it does not terminate the title attribute

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

skill-creator: eval-viewer escapeHtml is not attribute-safe and is applied inconsistently (display-path XSS)

2 participants