notebook -- issue parsing out <script> tags

[williamstein]

This input to the notebook results in pain:

html('<script>alert("</script>");</script>')

This should only be looked at after #3735 is applied. Then look at this code in
cell.py

        if ncols == 0:
            while True:
                i = t.lower().find('<script>')
                if i == -1: break
                j = t[i:].lower().find('</script>')
                if j == -1: break
                t = t[:i] + t[i+j+len('</script>'):]
                

and also function eval_script_tags(text) in js.py.

Component: notebook

Issue created by migration from https://trac.sagemath.org/ticket/3777

[jasongrout]

comment:2

It looks like the problem here is that we don't have a full HTML/Javascript parser built in to cell.py?

[TimDumol]

Attachment: foo.html.gz

Sample failure of </script> tags.

[sagetrac-acleone]

comment:3

Apparently this is invalid javascript.

foo.html shows that firefox gives the same behavior.

[sagetrac-acleone]

Work Issues: close/mark as invalid?

[sagetrac-acleone]

Changed work issues from close/mark as invalid? to none