Skip to content

profiling.sampling flamegraph does not escape function names in HTML output #153840

Description

@tonghuaroot

Bug description

The flamegraph exporter in profiling.sampling embeds profile strings into the generated HTML without escaping:

  1. _create_flamegraph_html writes json.dumps(data) into an inline <script> block. A function name containing </script> breaks out of the script element.

  2. flamegraph.js interpolates the raw function name into a tooltip via .html() (innerHTML).

The sibling heatmap exporter already escapes its embedded data (html.escape(json.dumps(...))), and flamegraph.js already defines and uses escapeHtml() for displayName and source lines -- the function name was missed.

As a bonus, <lambda>, <module>, <genexpr> currently render as empty tooltip titles because the browser drops them as unknown tags. Escaping fixes this.

CPython versions tested on

main

Operating systems tested on

macOS

Linked PRs

Metadata

Metadata

Assignees

No one assigned

    Labels

    stdlibStandard Library Python modules in the Lib/ directorytopic-profilingtype-bugAn unexpected behavior, bug, or error

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions