Skip to content

Commit 11ea593

Browse files
maartenbreddelsmaartenbreddels
authored
fix: avoid closing the script tag early by escaping a forward slash (#1665)
Closes #1562 Closes #802 Related #804
1 parent 968c5fb commit 11ea593

File tree

3 files changed

+5
-2
lines changed

3 files changed

+5
-2
lines changed

nbconvert/exporters/templateexporter.py

+3
Original file line numberDiff line numberDiff line change
@@ -63,6 +63,9 @@
6363
'get_metadata': filters.get_metadata,
6464
'convert_pandoc': filters.convert_pandoc,
6565
'json_dumps': json.dumps,
66+
# browsers will parse </script>, closing a script tag early
67+
# Since JSON allows escaping forward slash, this will still be parsed by JSON
68+
'escape_html_script': lambda x: x.replace('</script>', '<\\/script>'),
6669
'strip_trailing_newline': filters.strip_trailing_newline,
6770
'text_base64': filters.text_base64,
6871
}

share/jupyter/nbconvert/templates/classic/base.html.j2

+1-1
Original file line numberDiff line numberDiff line change
@@ -267,7 +267,7 @@ var element = $('#{{ div_id }}');
267267
{% set mimetype = 'application/vnd.jupyter.widget-state+json'%}
268268
{% if mimetype in nb.metadata.get("widgets",{})%}
269269
<script type="{{ mimetype }}">
270-
{{ nb.metadata.widgets[mimetype] | json_dumps }}
270+
{{ nb.metadata.widgets[mimetype] | json_dumps | escape_html_script }}
271271
</script>
272272
{% endif %}
273273
{{ super() }}

share/jupyter/nbconvert/templates/lab/base.html.j2

+1-1
Original file line numberDiff line numberDiff line change
@@ -273,7 +273,7 @@ var element = document.getElementById('{{ div_id }}');
273273
{% set mimetype = 'application/vnd.jupyter.widget-state+json'%}
274274
{% if mimetype in nb.metadata.get("widgets",{})%}
275275
<script type="{{ mimetype }}">
276-
{{ nb.metadata.widgets[mimetype] | json_dumps }}
276+
{{ nb.metadata.widgets[mimetype] | json_dumps | escape_html_script }}
277277
</script>
278278
{% endif %}
279279
{{ super() }}

0 commit comments

Comments
 (0)