From db6cda68f55c8d49f8cab2c57cabdbe4dd48d3a9 Mon Sep 17 00:00:00 2001
From: Andreas Mueller <amueller@microsoft.com>
Date: Wed, 17 Sep 2025 10:05:47 -0700
Subject: [PATCH] escape html in sidebar

---
 scripts/static/js/sidebar.js | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/scripts/static/js/sidebar.js b/scripts/static/js/sidebar.js
index 366700d71..24d98bd33 100644
--- a/scripts/static/js/sidebar.js
+++ b/scripts/static/js/sidebar.js
@@ -49,7 +49,7 @@ export function showSidebarContent(d, fromHover = false) {
     // Helper to render tab content
     function renderSidebarTabContent(tabName, d, children) {
         if (tabName === 'Code') {
-            return `<pre class="sidebar-code-pre">${d.code}</pre>`;
+            return `<pre class="sidebar-code-pre">${escapeHtml(d.code)}</pre>`;
         }
         if (tabName === 'Prompts') {
             // Prompt select logic
@@ -328,4 +328,15 @@ export function openInNewTab(event, d) {
 
 export function setSidebarSticky(val) {
     sidebarSticky = val;
+}
+
+// Helper to escape HTML so code can be shown verbatim inside <pre>
+function escapeHtml(str) {
+    if (str === undefined || str === null) return '';
+    return String(str)
+        .replace(/&/g, '&amp;')
+        .replace(/</g, '&lt;')
+        .replace(/>/g, '&gt;')
+        .replace(/"/g, '&quot;')
+        .replace(/'/g, '&#39;');
 }
\ No newline at end of file