Fix 4 bugs: SQL conflict handling, HTML escaping, backup cap, safe int cast

- sync_to_db: use ON CONFLICT for duplicate sequence numbers - history_tree: html.escape() for Graphviz DOT labels - tab_timeline_ng: cap history_tree_backup to 10 entries - tab_batch_ng: add _safe_int() helper for VACE settings Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-01 21:03:13 +01:00
parent 1b8d13f7c4
commit 04b9ed0e27
4 changed files with 18 additions and 8 deletions
--- a/history_tree.py
+++ b/history_tree.py
@@ -1,3 +1,4 @@
+import html
 import time
 import uuid
 from typing import Any
@@ -154,13 +155,14 @@ class HistoryTree:
            full_note = n.get('note', 'Step')

            display_note = (full_note[:max_note_len] + '..') if len(full_note) > max_note_len else full_note
+            display_note = html.escape(display_note)

            ts = time.strftime('%b %d %H:%M', time.localtime(n['timestamp']))

            # Branch label for tip nodes
            branch_label = ""
            if nid in tip_to_branches:
-                branch_label = ", ".join(tip_to_branches[nid])
+                branch_label = html.escape(", ".join(tip_to_branches[nid]))

            # COLORS — per-branch tint, overridden for HEAD and tips
            b_name = node_to_branch.get(nid)
@@ -190,7 +192,7 @@ class HistoryTree:
                + '</TABLE>>'
            )

-            safe_tooltip = full_note.replace('"', "'")
+            safe_tooltip = full_note.replace('\\', '\\\\').replace('"', '\\"')
            dot.append(f'  "{nid}" [label={label}, tooltip="{safe_tooltip}"];')

            if n["parent"] and n["parent"] in self.nodes: