Convert input to string prior to escape HTML

jupyter · Aug 9, 2022 · bef65d7 · bef65d7
1 parent 0818628
commit bef65d7
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 8 deletions.
diff --git a/nbconvert/exporters/templateexporter.py b/nbconvert/exporters/templateexporter.py
@@ -40,13 +40,6 @@
 )
 
 
-def escape_html(s, quote=True):
- if not isinstance(s, str):
- return s
- else:
- return html.escape(s)
-
-
 default_filters = {
  "indent": filters.indent,
  "markdown2html": filters.markdown2html,
@@ -78,7 +71,7 @@ def escape_html(s, quote=True):
  "convert_pandoc": filters.convert_pandoc,
  "json_dumps": json.dumps,
  # For removing any HTML
- "escape_html": escape_html,
+ "escape_html": lambda s: html.escape(str(s)),
  # For sanitizing HTML for any XSS
  "clean_html": clean_html,
  "strip_trailing_newline": filters.strip_trailing_newline,

diff --git a/nbconvert/exporters/tests/files/notebook_inject.ipynb b/nbconvert/exporters/tests/files/notebook_inject.ipynb
@@ -156,6 +156,25 @@
  ],
  "source": [""]
  },
+ {
+ "cell_type": "code",
+ "execution_count": null,
+ "id": "d72e095a",
+ "metadata": {},
+ "outputs": [
+ {
+ "output_type": "execute_result",
+ "data": {
+ "image/png": ["abcd"]
+ },
+ "execution_count": null,
+ "metadata": {
+ "width": ["><script>alert('output.metadata.width png injection')</script>"]
+ }
+ }
+ ],
+ "source": [""]
+ },
  {
  "cell_type": "code",
  "execution_count": null,