Fix XSS reported on Security list

No CVE-ID yet August 18, 2015 ----- Reported to Quantopian by Juan Broullón <thebrowfc@gmail.com>... If you create a new folder in the iPython file browser and set Javascript code as its name the code injected will be executed. So, if I create a folder called "><img src=x onerror=alert(document.cookie)> and then I access to it, the cookies will be prompted. The XSS code is also executed if you access a link pointing directly at the folder. jik ------
jupyter · Sep 1, 2015 · 35f32dd · 35f32dd
1 parent 474a3bb
commit 35f32dd
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/notebook/notebookapp.py b/notebook/notebookapp.py
@@ -159,7 +159,9 @@ def init_settings(self, ipython_app, kernel_manager, contents_manager,
             _template_path = (_template_path,)
         template_path = [os.path.expanduser(path) for path in _template_path]
 
-        jenv_opt = jinja_env_options if jinja_env_options else {}
+        jenv_opt = {"autoescape": True}
+        jenv_opt.update(jinja_env_options if jinja_env_options else {})
+
         env = Environment(loader=FileSystemLoader(template_path), **jenv_opt)
 
         sys_info = get_sys_info()