From 555f2b8edfe1680d900b8d7cb6cd19ffb7fdf8d6 Mon Sep 17 00:00:00 2001
From: tuanaiseo <tuanaiseo@gmail.com>
Date: Fri, 22 May 2026 06:04:03 +0700
Subject: [PATCH] fix(security)(art): missing input validation in
 display_image_grid

The display_image_grid function in src/art/utils/old_benchmarking/display_image_grid.py constructs HTML by directly interpolating image_paths into an HTML string without sanitization. If image_paths contains malicious input, it could lead to XSS in Jupyter notebook environments.

Affected files: display_image_grid.py

Signed-off-by: tuanaiseo <221258316+tuanaiseo@users.noreply.github.com>
---
 src/art/utils/old_benchmarking/display_image_grid.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/art/utils/old_benchmarking/display_image_grid.py b/src/art/utils/old_benchmarking/display_image_grid.py
index 541173a3d..23b680048 100644
--- a/src/art/utils/old_benchmarking/display_image_grid.py
+++ b/src/art/utils/old_benchmarking/display_image_grid.py
@@ -1,3 +1,5 @@
+import html
+
 from IPython.display import HTML, display
 
 
@@ -6,6 +8,7 @@ def display_image_grid(image_paths: list[str], images_per_row: int = 2):
     <div style='display: grid; grid-template-columns: repeat({images_per_row}, 1fr); gap: 10px;'>
     """
     for path in image_paths:
-        html += f"<img src='{path}' style='max-width: 100%; height: auto;'>"
+        escaped_path = html.escape(path)
+        html += f"<img src='{escaped_path}' style='max-width: 100%; height: auto;'>"
     html += "</div>"
     display(HTML(html))