From d0c7047cc125a798a8d1ef3a0ad32142d3d19abe Mon Sep 17 00:00:00 2001 From: Tom Augspurger Date: Sat, 10 Feb 2024 13:37:54 -0600 Subject: [PATCH 1/2] Added note for Styler --- doc/source/user_guide/style.ipynb | 4 +++- pandas/io/formats/style.py | 8 ++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/doc/source/user_guide/style.ipynb b/doc/source/user_guide/style.ipynb index 2d4b0f6a7545e..f831723f44931 100644 --- a/doc/source/user_guide/style.ipynb +++ b/doc/source/user_guide/style.ipynb @@ -1621,7 +1621,9 @@ "source": [ "### HTML Escaping\n", "\n", - "Suppose you have to display HTML within HTML, that can be a bit of pain when the renderer can't distinguish. You can use the `escape` formatting option to handle this, and even use it within a formatter that contains HTML itself." + "Suppose you have to display HTML within HTML, that can be a bit of pain when the renderer can't distinguish. You can use the `escape` formatting option to handle this, and even use it within a formatter that contains HTML itself.\n", + "\n", + "Note that if you're using `Styler` on untrusted, user-provided input to serve HTML then you should escape the input to prevent security vulnerabilities. See the Jinja2 documentation for more." ] }, { diff --git a/pandas/io/formats/style.py b/pandas/io/formats/style.py index 31e025ace4b03..8640cc1a2bd68 100644 --- a/pandas/io/formats/style.py +++ b/pandas/io/formats/style.py @@ -178,6 +178,14 @@ class Styler(StylerRenderer): escape : str, optional Use 'html' to replace the characters ``&``, ``<``, ``>``, ``'``, and ``"`` in cell display string with HTML-safe sequences. + + .. warning:: + + ``Styler`` is primarily intended for use on safe input that you control. + When using ``Styler`` on untrusted, user-provided input to serve HTML, + you should set ``escape=true`` to prevent security vulnerabilities. + See the Jinja2 documentation on HTML escaping for more. + Use 'latex' to replace the characters ``&``, ``%``, ``$``, ``#``, ``_``, ``{``, ``}``, ``~``, ``^``, and ``\`` in the cell display string with LaTeX-safe sequences. Use 'latex-math' to replace the characters From 950006d17624ca9974911e4c0782eede939b9b1e Mon Sep 17 00:00:00 2001 From: Tom Augspurger Date: Mon, 19 Feb 2024 17:36:01 -0600 Subject: [PATCH 2/2] Fixup --- pandas/io/formats/style.py | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/pandas/io/formats/style.py b/pandas/io/formats/style.py index 8640cc1a2bd68..697a850e7f1d8 100644 --- a/pandas/io/formats/style.py +++ b/pandas/io/formats/style.py @@ -179,13 +179,6 @@ class Styler(StylerRenderer): Use 'html' to replace the characters ``&``, ``<``, ``>``, ``'``, and ``"`` in cell display string with HTML-safe sequences. - .. warning:: - - ``Styler`` is primarily intended for use on safe input that you control. - When using ``Styler`` on untrusted, user-provided input to serve HTML, - you should set ``escape=true`` to prevent security vulnerabilities. - See the Jinja2 documentation on HTML escaping for more. - Use 'latex' to replace the characters ``&``, ``%``, ``$``, ``#``, ``_``, ``{``, ``}``, ``~``, ``^``, and ``\`` in the cell display string with LaTeX-safe sequences. Use 'latex-math' to replace the characters @@ -217,6 +210,13 @@ class Styler(StylerRenderer): Notes ----- + .. warning:: + + ``Styler`` is primarily intended for use on safe input that you control. + When using ``Styler`` on untrusted, user-provided input to serve HTML, + you should set ``escape="html"`` to prevent security vulnerabilities. + See the Jinja2 documentation on escaping HTML for more. + Most styling will be done by passing style functions into ``Styler.apply`` or ``Styler.map``. Style functions should return values with strings containing CSS ``'attr: value'`` that will