From 48fe71eb3335caf4e03166e56e0d16efcfbeaf44 Mon Sep 17 00:00:00 2001
From: martinRenou <martin.renou@gmail.com>
Date: Thu, 28 Jul 2022 14:03:41 +0200
Subject: [PATCH] GHSL-2021-1024

---
 .../tests/files/notebook_inject.ipynb         | 38 +++++++++++++++++++
 nbconvert/exporters/tests/test_html.py        |  4 ++
 .../nbconvert/templates/classic/base.html.j2  | 12 +++---
 .../nbconvert/templates/lab/base.html.j2      |  8 ++--
 4 files changed, 52 insertions(+), 10 deletions(-)

diff --git a/nbconvert/exporters/tests/files/notebook_inject.ipynb b/nbconvert/exporters/tests/files/notebook_inject.ipynb
index 8f3c8dd53..bfd2163cd 100644
--- a/nbconvert/exporters/tests/files/notebook_inject.ipynb
+++ b/nbconvert/exporters/tests/files/notebook_inject.ipynb
@@ -136,6 +136,44 @@
       }
     ],
     "source": [""]
+   },
+   {
+    "cell_type": "code",
+    "execution_count": null,
+    "id": "d72e635a",
+    "metadata": {},
+    "outputs": [
+      {
+        "output_type": "execute_result",
+        "data": {
+         "image/png": ["abcd"]
+        },
+        "execution_count": null,
+        "metadata": {
+           "width": "><script>alert('output.metadata.width png injection')</script>"
+        }
+      }
+    ],
+    "source": [""]
+   },
+   {
+    "cell_type": "code",
+    "execution_count": null,
+    "id": "d72e635a",
+    "metadata": {},
+    "outputs": [
+      {
+        "output_type": "execute_result",
+        "data": {
+         "image/png": ["abcd"]
+        },
+        "execution_count": null,
+        "metadata": {
+           "height": "><script>alert('output.metadata.height png injection')</script>"
+        }
+      }
+    ],
+    "source": [""]
    }
  ],
  "metadata": {
diff --git a/nbconvert/exporters/tests/test_html.py b/nbconvert/exporters/tests/test_html.py
index d870ea302..72c57f4fc 100644
--- a/nbconvert/exporters/tests/test_html.py
+++ b/nbconvert/exporters/tests/test_html.py
@@ -163,3 +163,7 @@ def test_javascript_injection(self):
             # Check injection in image data
             assert "<script>alert('image/png output')</script>" not in output
             assert "<script>alert('image/jpeg output')</script>" not in output
+
+            # Check injection in image width/height
+            assert "<script>alert('output.metadata.width png injection')</script>" not in output
+            assert "<script>alert('output.metadata.height png injection')</script>" not in output
diff --git a/share/jupyter/nbconvert/templates/classic/base.html.j2 b/share/jupyter/nbconvert/templates/classic/base.html.j2
index 70f87f274..ebc11ae13 100644
--- a/share/jupyter/nbconvert/templates/classic/base.html.j2
+++ b/share/jupyter/nbconvert/templates/classic/base.html.j2
@@ -162,18 +162,18 @@ unknown type  {{ cell.type }}
 {%- endif %}
 {%- set width=output | get_metadata('width', 'image/png') -%}
 {%- if width is not none %}
-width={{ width }}
+width={{ width | escape_html }}
 {%- endif %}
 {%- set height=output | get_metadata('height', 'image/png') -%}
 {%- if height is not none %}
-height={{ height }}
+height={{ height | escape_html }}
 {%- endif %}
 {%- if output | get_metadata('unconfined', 'image/png') %}
 class="unconfined"
 {%- endif %}
 {%- set alttext=(output | get_metadata('alt', 'image/png')) or (cell | get_metadata('alt')) -%}
 {%- if alttext is not none %}
-alt="{{ alttext }}"
+alt="{{ alttext | escape_html }}"
 {%- endif %}
 >
 </div>
@@ -188,18 +188,18 @@ alt="{{ alttext }}"
 {%- endif %}
 {%- set width=output | get_metadata('width', 'image/jpeg') -%}
 {%- if width is not none %}
-width={{ width }}
+width={{ width | escape_html }}
 {%- endif %}
 {%- set height=output | get_metadata('height', 'image/jpeg') -%}
 {%- if height is not none %}
-height={{ height }}
+height={{ height | escape_html }}
 {%- endif %}
 {%- if output | get_metadata('unconfined', 'image/jpeg') %}
 class="unconfined"
 {%- endif %}
 {%- set alttext=(output | get_metadata('alt', 'image/jpeg')) or (cell | get_metadata('alt')) -%}
 {%- if alttext is not none %}
-alt="{{ alttext }}"
+alt="{{ alttext | escape_html }}"
 {%- endif %}
 >
 </div>
diff --git a/share/jupyter/nbconvert/templates/lab/base.html.j2 b/share/jupyter/nbconvert/templates/lab/base.html.j2
index 37df56e04..0180bbac0 100644
--- a/share/jupyter/nbconvert/templates/lab/base.html.j2
+++ b/share/jupyter/nbconvert/templates/lab/base.html.j2
@@ -180,11 +180,11 @@ unknown type  {{ cell.type }}
 {%- endif %}
 {%- set width=output | get_metadata('width', 'image/png') -%}
 {%- if width is not none %}
-width={{ width }}
+width={{ width | escape_html }}
 {%- endif %}
 {%- set height=output | get_metadata('height', 'image/png') -%}
 {%- if height is not none %}
-height={{ height }}
+height={{ height | escape_html }}
 {%- endif %}
 class="
 {%- if output | get_metadata('unconfined', 'image/png') %}
@@ -210,11 +210,11 @@ jp-needs-dark-background
 {%- endif %}
 {%- set width=output | get_metadata('width', 'image/jpeg') -%}
 {%- if width is not none %}
-width={{ width }}
+width={{ width | escape_html }}
 {%- endif %}
 {%- set height=output | get_metadata('height', 'image/jpeg') -%}
 {%- if height is not none %}
-height={{ height }}
+height={{ height | escape_html }}
 {%- endif %}
 class="
 {%- if output | get_metadata('unconfined', 'image/jpeg') %}