Skip to content

model_logging example writes unescaped metadata into rich-text entries #209

Description

@Flerpharos

Problem

The model logging example inserts commit and tags values directly into rich-text TextEntry HTML without escaping. Metadata values containing HTML become rendered markup instead of literal model metadata.

Minimum repro

logger.log(
    tags=["<img src=x onerror=alert(1)>"] ,
    metrics={},
    results=b"",
    figures=[],
    commit="<b>x</b>",
)

Actual rich-text payloads include raw <b> and <img> markup.

Expected: user-supplied metadata should be escaped before being embedded into HTML, matching the safer escaping used by other examples such as CSV table upload.

Pointers

  • examples/model_logging/model_logger.py, commit is interpolated directly into a TextEntry.
  • examples/model_logging/model_logger.py, each tag is interpolated directly into a <span>.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions