-
Notifications
You must be signed in to change notification settings - Fork 471
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug in Text Visualization Code #1226
Comments
peiyangL
changed the title
Bug in Text Visualization Code - Improper Escaping Leading to Incorrect Visualization and Security Issues
Bug in Text Visualization Code
Dec 23, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Overview
The affected code snippet can be found here: https://github.com/pytorch/captum/blob/master/captum/attr/_utils/visualization.py#L829-L836
Within the
format_word_importances
function, theword
variable is not being properly escaped before being incorporated into the HTML template. This oversight could potentially result in incorrect visualization outputs or even present a security vulnerability if untrusted input is used. Below, I provide two examples to demonstrate these issues:To Reproduce
Case 1: Commented-out User Input
The last four words are not displayed correctly.
Case 2: Cross-Site Scripting (XSS) in a Jupyter Environment
Solution
the fix for this issue is straightforward—by implementing proper escaping for the word variable. Just modify the line 829.
->
The text was updated successfully, but these errors were encountered: