fix(skill-creator): eval-viewer HTML breakout + metadata search depth#959
Open
john-savepoint wants to merge 1 commit intoanthropics:mainfrom
Open
Conversation
Two bugs in generate_review.py: 1. User-generated outputs containing `</script>` (e.g. code samples showing gtag.js integration) break out of the embedded `<script>` block, corrupting the entire viewer HTML. Fix: escape `</` to `<\/` after `json.dumps()` — both forms are valid JSON (RFC 8259 §7) and the browser's HTML parser no longer sees a premature script terminator. 2. `eval_metadata.json` is only searched 1 level up from `run_dir`, but the canonical workspace layout places it 2 levels up (`eval-N/eval_metadata.json` vs `eval-N/with_skill/run-1/`). This causes all prompts to show as "(No prompt found)" in the viewer. Fix: add `run_dir.parent.parent` to the search path.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two bugs in
skills/skill-creator/eval-viewer/generate_review.py:HTML breakout via
</script>in user content.json.dumps()doesn't escape/, so when eval outputs contain</script>(common in code samples showing gtag.js, GTM snippets, etc.), the embedded<script>block terminates prematurely, corrupting the entire viewer. Fix:.replace("</", r"<\/")afterjson.dumps()— valid JSON per RFC 8259 §7, standard XSS-safe-embed pattern.eval_metadata.jsonnot found at canonical depth. The viewer searchesrun_dirandrun_dir.parentfor metadata, but the workspace layout documented in SKILL.md places it ateval-N/eval_metadata.json— two levels aboveeval-N/with_skill/run-1/. All prompts render as "(No prompt found)". Fix: addrun_dir.parent.parentto the search path.Test plan
</script>— renders correctly after fixeval_metadata.jsonat theeval-N/level<\/round-trips throughJSON.parse()identically to</(RFC 8259 permits both)🤖 Generated with Claude Code