Skip to content

Commit 7c07e8e

Browse files
author
Roman Stoffel
committed
Fix XSS in Handling Text Block.
Vulnerable to a notebook like: { "cells": [{ "cell_type": "code", "source": [], "outputs": [{ "output_type": "display_data", "data": { "text/plain": "<img src onerror=\"alert('XSS at '+origin)\">" } }] }] }
1 parent 426d3c1 commit 7c07e8e

File tree

2 files changed

+2
-2
lines changed

2 files changed

+2
-2
lines changed

notebook.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -111,7 +111,7 @@
111111
nb.display = {};
112112
nb.display.text = function (text) {
113113
var el = makeElement("pre", [ "text-output" ]);
114-
el.innerHTML = nb.highlighter(nb.ansi(joinText(text)), el);
114+
el.innerHTML = nb.sanitizer(nb.highlighter(nb.ansi(joinText(text)), el));
115115
return el;
116116
};
117117
nb.display["text/plain"] = nb.display.text;

notebook.min.js

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)