From 63b9e63ced2aaa5e01ddc2edb9bc92dc7f9859f0 Mon Sep 17 00:00:00 2001
From: Maximilian Linhoff <maximilian.linhoff@tu-dortmund.de>
Date: Mon, 17 Jul 2023 13:05:45 +0200
Subject: [PATCH] Fix Tool repr_html and add html escaping

---
 ctapipe/core/component.py | 15 +++++++++------
 ctapipe/core/tool.py      | 10 +++++++---
 2 files changed, 16 insertions(+), 9 deletions(-)

diff --git a/ctapipe/core/component.py b/ctapipe/core/component.py
index cbfc05b2584..b3b5b91a733 100644
--- a/ctapipe/core/component.py
+++ b/ctapipe/core/component.py
@@ -1,4 +1,5 @@
 """ Class to handle configuration for algorithms """
+import html
 import warnings
 import weakref
 from abc import ABCMeta
@@ -235,7 +236,7 @@ def _repr_html_(self):
         lines = [
             '<div style="border:1px solid black; max-width: 700px; padding:2em; word-wrap:break-word;">',
             f"<b>{name}</b>",
-            f"<p> {docstring} </p>",
+            docstring,
             "<table>",
             "    <colgroup>",
             "        <col span='1' style=' '>",
@@ -246,21 +247,23 @@ def _repr_html_(self):
         ]
         for key, val in self.get_current_config()[name].items():
             htmlval = (
-                str(val).replace("/", "/<wbr>").replace("_", "_<wbr>")
+                html.escape(str(val)).replace("/", "/<wbr>").replace("_", "_<wbr>")
             )  # allow breaking at boundary
 
             # traits of the current component
             if key in traits:
-                thehelp = f"{traits[key].help} (default: {traits[key].default_value})"
+                thehelp = html.escape(
+                    f"{traits[key].help} (default: {traits[key].default_value})"
+                )
                 lines.append(f"<tr><th>{key}</th>")
                 if val != traits[key].default_value:
                     lines.append(
-                        f"<td style='text-align: left;'><span style='color:blue; max-width:30em;'>{htmlval}</span></td>"
+                        f'<td style="text-align: left;"><span style="color:blue; max-width:30em;">{htmlval}</span></td>'
                     )
                 else:
-                    lines.append(f"<td style='text-align: left;'>{htmlval}</td>")
+                    lines.append(f'<td style="text-align: left;">{htmlval}</td>')
                 lines.append(
-                    f"<td style='text-align: left;'><i>{thehelp}</i></td></tr>"
+                    f'<td style="text-align: left;"><i>{thehelp}</i></td></tr>'
                 )
         lines.append("    </tbody>")
         lines.append("</table>")
diff --git a/ctapipe/core/tool.py b/ctapipe/core/tool.py
index 5f6744d2c95..5d28c1585a3 100644
--- a/ctapipe/core/tool.py
+++ b/ctapipe/core/tool.py
@@ -1,4 +1,5 @@
 """Classes to handle configurable command-line user interfaces."""
+import html
 import logging
 import logging.config
 import os
@@ -495,8 +496,9 @@ def _repr_html_(self):
             or "Undocumented"
         )
         lines = [
+            '<div style="border:1px solid black; max-width: 700px; padding:2em; word-wrap:break-word;">',
             f"<b>{name}</b>",
-            f"<p> {docstring} </p>",
+            docstring,
             "<table>",
             "    <colgroup>",
             "        <col span='1' style=' '>",
@@ -507,12 +509,14 @@ def _repr_html_(self):
         ]
         for key, val in self.get_current_config()[name].items():
             htmlval = (
-                str(val).replace("/", "/<wbr>").replace("_", "_<wbr>")
+                html.escape(str(val)).replace("/", "/<wbr>").replace("_", "_<wbr>")
             )  # allow breaking at boundary
 
             # traits of the current component
             if key in traits:
-                thehelp = f"{traits[key].help} (default: {traits[key].default_value})"
+                thehelp = html.escape(
+                    f"{traits[key].help} (default: {traits[key].default_value})"
+                )
                 lines.append(f"<tr><th>{key}</th>")
                 if val != traits[key].default_value:
                     lines.append(