From 64b1ea3f8de6438cf4315c82f8115bcf114d1e22 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C4=99drzej=20Boczar?= <yendreij@gmail.com>
Date: Tue, 23 Apr 2024 10:10:51 +0200
Subject: [PATCH] fix(html): escape text in html output #29

---
 elf_size_analyze/html/gen.py | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/elf_size_analyze/html/gen.py b/elf_size_analyze/html/gen.py
index f161484..5a9c803 100644
--- a/elf_size_analyze/html/gen.py
+++ b/elf_size_analyze/html/gen.py
@@ -3,6 +3,7 @@
 """
 
 import os
+import html
 
 THIS_DIR = os.path.dirname(os.path.abspath(os.path.realpath(__file__)))
 DEFAULT_CSS = os.path.join(THIS_DIR, 'styles.css')
@@ -23,7 +24,7 @@ def _print_children(node, level=0):
         for x, y in node.items():
             table_content += f"""
             <tr class="collapsible level-{level}">
-                <td style='padding-left:{10*level}px;word-break:break-all;word-wrap:break-word'>{x}</td>
+                <td style='padding-left:{10*level}px;word-break:break-all;word-wrap:break-word'>{html.escape(x)}</td>
                 <td width='200px' align='right'>{y['cumulative_size']}</td>
             </tr>
     """
@@ -41,14 +42,14 @@ def _print_children(node, level=0):
 <!DOCTYPE html>
 <html lang="en">
     <head>
-        <title>{title}</title>
+        <title>{html.escape(title)}</title>
         <meta charset="UTF-8">
         <meta name="viewport" content="width=device-width, initial-scale=1">
         <style>{css_styles}</style>
         <script>{javascript}</script>
     </head>
     <body>
-        <h3>{title}</h3>
+        <h3>{html.escape(title)}</h3>
         <div class="collapse-buttons">
             <span>Collapse</span>
             <button class="all">All</button>