Merge commit from fork

jacobtomlinson · web-flow · commit ab72092a8a93 · 2026-01-16T11:33:15.000Z
diff --git a/distributed/dashboard/tests/test_scheduler_bokeh.py b/distributed/dashboard/tests/test_scheduler_bokeh.py
@@ -1099,6 +1099,17 @@ async def test_proxy_to_workers(c, s, a, b):
         assert response_direct.code == 200
         assert b"System" in response_direct.body
 
+    if proxy_exists:
+        dashboard_port = s.http_server.port
+        http_client = AsyncHTTPClient()
+        unsafe_host = "<><><>"  # Some unsafe characters that should be escaped
+        proxy_url = f"http://localhost:{dashboard_port}/proxy/1234/{unsafe_host}/status"
+        response = await http_client.fetch(proxy_url, raise_error=False)
+        assert response.code == 400
+        assert (
+            unsafe_host not in response.body.decode()
+        ), "Unsafe characters should be escaped"
+
 
 @gen_cluster(
     client=True,
diff --git a/distributed/http/proxy.py b/distributed/http/proxy.py
@@ -1,5 +1,6 @@
 from __future__ import annotations
 
+import html
 import logging
 
 from tornado import web
@@ -46,7 +47,7 @@ async def http_get(self, port, host, proxied_path):
 
             worker = f"{self.host}:{port}"
             if not check_worker_dashboard_exits(self.scheduler, worker):
-                msg = "Worker <%s> does not exist" % worker
+                msg = f"Worker &lt;{html.escape(worker)}&gt; does not exist"
                 self.set_status(400)
                 self.finish(msg)
                 return
