Fix web dash to handle large values better #3272
Conversation
There was a problem hiding this comment.
Pull request overview
This PR updates the web dashboard entity-attributes rendering to better handle very large attribute values and avoid breaking the UI. It introduces truncation for display and a larger, escaped version for tooltips.
Changes:
- Replace the previous hard cutoff of large attribute values (
> 1024chars) with a scheme that shows a truncated 128-character preview plus a tooltip. - Limit tooltip content to 16k characters and escape HTML entities in the tooltip string for safer rendering.
| full_value = str(value)[:16384] # Limit to 16k | ||
| full_value = full_value.replace("&", "&").replace("<", "<").replace(">", ">").replace('"', """).replace("'", "'") | ||
| if len(str(value)) > 128: | ||
| display_value = str(value)[:128] + " ... " | ||
| # Escape HTML entities for tooltip | ||
| text += '<tr><td>{}</td><td title="{}">{}</td></tr>'.format(key, full_value, display_value) | ||
| else: | ||
| text += "<tr><td>{}</td><td>{}</td></tr>".format(key, value) |
There was a problem hiding this comment.
The new logic escapes full_value for the tooltip but still interpolates display_value and the non-truncated value directly into the <td> contents without HTML escaping. If an attribute value contains <, >, or other HTML, this will be rendered as raw markup and could allow HTML/JS injection in the web UI. Consider HTML-escaping both the visible cell content (for both the truncated and non-truncated branches) and the tooltip consistently (for example using html_module.escape as elsewhere in this file) instead of only partially escaping the tooltip string.
#3269