From b26c2c52b4655f03d2335c7dbde301ee7ed035b3 Mon Sep 17 00:00:00 2001
From: Raphael Ahrens <raphael.ahrens@th-koeln.de>
Date: Wed, 8 Oct 2025 09:50:54 +0200
Subject: [PATCH] Fix for #278 missing html escaping for dot

It was possible to inject html markup in the label of a dot node.
This lead to the error observed in #278.

This fix is currently only for the label attribute.
Other attribute might be affected as well.
---
 pytm/pytm.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pytm/pytm.py b/pytm/pytm.py
index a7116878..545704fa 100644
--- a/pytm/pytm.py
+++ b/pytm/pytm.py
@@ -1496,7 +1496,7 @@ def display_name(self):
         return self.name
 
     def _label(self):
-        return "\\n".join(wrap(self.display_name(), 18))
+        return "\\n".join(wrap(html.escape(self.display_name()), 18))
 
     def _shape(self):
         return "square"