fix: avoid closing the script tag early by escaping a forward slash

Closes jupyter#1562 Closes jupyter#802 Related jupyter#804
maartenbreddels · Oct 27, 2021 · 0252cfa · 0252cfa
1 parent 16d5bd9
commit 0252cfa
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 2 deletions.
diff --git a/nbconvert/exporters/templateexporter.py b/nbconvert/exporters/templateexporter.py
@@ -64,6 +64,9 @@
         'get_metadata': filters.get_metadata,
         'convert_pandoc': filters.convert_pandoc,
         'json_dumps': json.dumps,
+        # browsers will parse </script>, closing a script tag early
+        # Since JSON allows escaping forward slash, this will still be parsed by JSON
+        'escape_html_script': lambda x: x.replace('</script>', '<\\/script>'),
         'strip_trailing_newline': filters.strip_trailing_newline,
         'text_base64': filters.text_base64,
 }

diff --git a/share/jupyter/nbconvert/templates/classic/base.html.j2 b/share/jupyter/nbconvert/templates/classic/base.html.j2
@@ -267,7 +267,7 @@ var element = $('#{{ div_id }}');
 {% set mimetype = 'application/vnd.jupyter.widget-state+json'%} 
 {% if mimetype in nb.metadata.get("widgets",{})%}
 <script type="{{ mimetype }}">
-{{ nb.metadata.widgets[mimetype] | json_dumps }}
+{{ nb.metadata.widgets[mimetype] | json_dumps | escape_html_script }}
 </script>
 {% endif %}
 {{ super() }}

diff --git a/share/jupyter/nbconvert/templates/lab/base.html.j2 b/share/jupyter/nbconvert/templates/lab/base.html.j2
@@ -273,7 +273,7 @@ var element = document.getElementById('{{ div_id }}');
 {% set mimetype = 'application/vnd.jupyter.widget-state+json'%}
 {% if mimetype in nb.metadata.get("widgets",{})%}
 <script type="{{ mimetype }}">
-{{ nb.metadata.widgets[mimetype] | json_dumps }}
+{{ nb.metadata.widgets[mimetype] | json_dumps | escape_html_script }}
 </script>
 {% endif %}
 {{ super() }}