From 11ea5931f71fdaaaad8958f634132f45476bf006 Mon Sep 17 00:00:00 2001
From: Maarten Breddels <maartenbreddels@gmail.com>
Date: Wed, 27 Oct 2021 19:59:43 +0200
Subject: [PATCH] fix: avoid closing the script tag early by escaping a forward
 slash (#1665)

Closes #1562
Closes #802
Related #804
---
 nbconvert/exporters/templateexporter.py                | 3 +++
 share/jupyter/nbconvert/templates/classic/base.html.j2 | 2 +-
 share/jupyter/nbconvert/templates/lab/base.html.j2     | 2 +-
 3 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/nbconvert/exporters/templateexporter.py b/nbconvert/exporters/templateexporter.py
index 01bffce5b..a3991b871 100644
--- a/nbconvert/exporters/templateexporter.py
+++ b/nbconvert/exporters/templateexporter.py
@@ -63,6 +63,9 @@
         'get_metadata': filters.get_metadata,
         'convert_pandoc': filters.convert_pandoc,
         'json_dumps': json.dumps,
+        # browsers will parse </script>, closing a script tag early
+        # Since JSON allows escaping forward slash, this will still be parsed by JSON
+        'escape_html_script': lambda x: x.replace('</script>', '<\\/script>'),
         'strip_trailing_newline': filters.strip_trailing_newline,
         'text_base64': filters.text_base64,
 }
diff --git a/share/jupyter/nbconvert/templates/classic/base.html.j2 b/share/jupyter/nbconvert/templates/classic/base.html.j2
index e7b6b6aa0..ad010f016 100644
--- a/share/jupyter/nbconvert/templates/classic/base.html.j2
+++ b/share/jupyter/nbconvert/templates/classic/base.html.j2
@@ -267,7 +267,7 @@ var element = $('#{{ div_id }}');
 {% set mimetype = 'application/vnd.jupyter.widget-state+json'%} 
 {% if mimetype in nb.metadata.get("widgets",{})%}
 <script type="{{ mimetype }}">
-{{ nb.metadata.widgets[mimetype] | json_dumps }}
+{{ nb.metadata.widgets[mimetype] | json_dumps | escape_html_script }}
 </script>
 {% endif %}
 {{ super() }}
diff --git a/share/jupyter/nbconvert/templates/lab/base.html.j2 b/share/jupyter/nbconvert/templates/lab/base.html.j2
index 684874606..45046c599 100644
--- a/share/jupyter/nbconvert/templates/lab/base.html.j2
+++ b/share/jupyter/nbconvert/templates/lab/base.html.j2
@@ -273,7 +273,7 @@ var element = document.getElementById('{{ div_id }}');
 {% set mimetype = 'application/vnd.jupyter.widget-state+json'%}
 {% if mimetype in nb.metadata.get("widgets",{})%}
 <script type="{{ mimetype }}">
-{{ nb.metadata.widgets[mimetype] | json_dumps }}
+{{ nb.metadata.widgets[mimetype] | json_dumps | escape_html_script }}
 </script>
 {% endif %}
 {{ super() }}