Permalink
Browse files

use `$.text` to put latex on the page

instead of `$.append`

does proper escaping of latex that might be interpreted as HTML tags

Fix CVE-2016-6524
  • Loading branch information...
minrk committed Jul 26, 2016
1 parent eb6526d commit d7fd3e2803afec591abbb3dc32eeab00fa095207
Showing with 1 addition and 1 deletion.
  1. +1 −1 notebook/static/notebook/js/outputarea.js
@@ -754,7 +754,7 @@ define([
*/
var type = 'text/latex';
var toinsert = this.create_output_subarea(md, "output_latex", type);
toinsert.append(latex);
toinsert.text(latex);
element.append(toinsert);
return toinsert;
};

0 comments on commit d7fd3e2

Please sign in to comment.