fix: escape arbitrary text in markup

austin_tui/adapters.py

@@ -34,14 +34,10 @@
 from austin_tui.view import View
 from austin_tui.widgets.graph import FlameGraphData
 from austin_tui.widgets.markup import AttrString
+from austin_tui.widgets.markup import escape
 from austin_tui.widgets.table import TableData
 
 
-def escape(text: str) -> str:
- """Escape angle brackets."""
- return text.replace("<", "&lt;").replace(">", "&gt;")
-
-
 class Adapter:
  """Model-View adapter.
 
@@ -116,7 +112,7 @@ def transform(self) -> AttrString:
  """Retrieve the command line."""
  cmd = self._model.austin.command_line
  exec, _, args = cmd.partition(" ")
- return self._view.markup(f"<exec><b>{exec}</b></exec> {args}")
+ return self._view.markup(f"<exec><b>{escape(exec)}</b></exec> {escape(args)}")
 
  def update(self, data: AttrString) -> bool:
  """Update the widget."""

austin_tui/controller.py

@@ -40,6 +40,7 @@
 from austin_tui.adapters import ThreadNameAdapter
 from austin_tui.model import Model
 from austin_tui.view import ViewBuilder
+from austin_tui.widgets.markup import escape
 
 
 class ThreadNav(Enum):
@@ -258,7 +259,9 @@ def _dump_stats() -> None:
  if not line.startswith("# "):
  fout.write(line + "\n")
  self.view.notification.set_text(
- self.view.markup(f"Stats saved as <running>{filename}</running> 📝 ")
+ self.view.markup(
+ f"Stats saved as <running>{escape(filename)}</running> 📝 "
+ )
  )
  except IOError as e:
  self.view.notification.set_text(f"Failed to save stats: {e}")

austin_tui/widgets/markup.py

@@ -25,18 +25,14 @@
 import curses
 from dataclasses import dataclass
 from typing import Any, List, TYPE_CHECKING
+from xml.sax.saxutils import escape
 
 from lxml import etree
 
 if TYPE_CHECKING:
  from austin_tui.view.palette import Palette
 
 
-def escape(text: str) -> str:
- """Escape angle brackets."""
- return text.replace("<", "&lt;").replace(">", "&gt;")
-
-
 def _unescape(text: str) -> str:
  """Unescape angle brackets."""
  return text.replace("&lt;", "<").replace("&gt;", ">")