Problem
The model logging example inserts commit and tags values directly into rich-text TextEntry HTML without escaping. Metadata values containing HTML become rendered markup instead of literal model metadata.
Minimum repro
logger.log(
tags=["<img src=x onerror=alert(1)>"] ,
metrics={},
results=b"",
figures=[],
commit="<b>x</b>",
)
Actual rich-text payloads include raw <b> and <img> markup.
Expected: user-supplied metadata should be escaped before being embedded into HTML, matching the safer escaping used by other examples such as CSV table upload.
Pointers
examples/model_logging/model_logger.py, commit is interpolated directly into a TextEntry.
examples/model_logging/model_logger.py, each tag is interpolated directly into a <span>.
Problem
The model logging example inserts
commitandtagsvalues directly into rich-textTextEntryHTML without escaping. Metadata values containing HTML become rendered markup instead of literal model metadata.Minimum repro
Actual rich-text payloads include raw
<b>and<img>markup.Expected: user-supplied metadata should be escaped before being embedded into HTML, matching the safer escaping used by other examples such as CSV table upload.
Pointers
examples/model_logging/model_logger.py, commit is interpolated directly into aTextEntry.examples/model_logging/model_logger.py, each tag is interpolated directly into a<span>.