Skip to content

Commit

Permalink
Remove HTML escaping JSON-encoded widget state (#1934)
Browse files Browse the repository at this point in the history 
Co-authored-by: Steven Silvester <steven.silvester@ieee.org>
  • Loading branch information
@manzt @blink1073
manzt and blink1073 committed Jul 17, 2023
1 parent 68dbb34 commit f2fc3e1
Show file tree
Hide file tree
Showing 3 changed files with 5 additions and 4 deletions.
1 change: 1 addition & 0 deletions nbconvert/exporters/templateexporter.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,7 @@
# For removing any HTML
"escape_html": lambda s: html.escape(str(s)),
"escape_html_keep_quotes": lambda s: html.escape(str(s), quote=False),
"escape_html_script": lambda s: s.replace("/", "\\/"),
# For sanitizing HTML for any XSS
"clean_html": filters.clean_html,
"strip_trailing_newline": filters.strip_trailing_newline,
Expand Down
4 changes: 2 additions & 2 deletions share/templates/classic/base.html.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -269,7 +269,7 @@ var element = $('#{{ div_id }}');
var element = $('#{{ div_id }}');
</script>
<script type="{{ datatype }}">
{{ output.data[datatype] | json_dumps | escape_html_keep_quotes }}
{{ output.data[datatype] | json_dumps | escape_html_script }}
</script>
</div>
{%- endif %}
Expand All @@ -280,7 +280,7 @@ var element = $('#{{ div_id }}');
{% set mimetype = 'application/vnd.jupyter.widget-state+json'%}
{% if mimetype in nb.metadata.get("widgets",{})%}
<script type="{{ mimetype }}">
{{ nb.metadata.widgets[mimetype] | json_dumps | escape_html_keep_quotes }}
{{ nb.metadata.widgets[mimetype] | json_dumps | escape_html_script }}
</script>
{% endif %}
{%- endif %}
Expand Down
4 changes: 2 additions & 2 deletions share/templates/lab/base.html.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -303,7 +303,7 @@ var element = document.getElementById('{{ div_id }}');
var element = document.getElementById('{{ div_id }}');
</script>
<script type="{{ datatype }}">
{{ output.data[datatype] | json_dumps | escape_html_keep_quotes }}
{{ output.data[datatype] | json_dumps | escape_html_script }}
</script>
</div>
{%- endblock data_widget_view -%}
Expand All @@ -312,7 +312,7 @@ var element = document.getElementById('{{ div_id }}');
{% set mimetype = 'application/vnd.jupyter.widget-state+json'%}
{% if mimetype in nb.metadata.get("widgets",{})%}
<script type="{{ mimetype }}">
{{ nb.metadata.widgets[mimetype] | json_dumps | escape_html_keep_quotes }}
{{ nb.metadata.widgets[mimetype] | json_dumps | escape_html_script }}
</script>
{% endif %}
{{ super() }}
Expand Down

0 comments on commit f2fc3e1

Please sign in to comment.