Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Properly escape template variables #7016

Merged
merged 4 commits into from Aug 16, 2019
Merged

Conversation

@jasongrout
Copy link
Contributor

@jasongrout jasongrout commented Aug 14, 2019

References

See jupyterlab/jupyterlab_server#73 for another attempt at this in the server. This may conflict with that change (i.e., there may be double escaping with both that change and this change).

Fixes #7024.

Code changes

Add proper Jinja escapes to template variables. In particular, this escapes the JSON strings and urls added to the template.

Note that similar escaping should be added to the jupyterlab_server as well. However, since JupyterLab overrides the index.html template from jupyterlab_server, this PR is the one that affects JupyterLab itself.

User-facing changes

None

Backwards-incompatible changes

Should be none

@jasongrout jasongrout added this to the 1.0.x milestone Aug 14, 2019
@jasongrout jasongrout removed this from the 1.0.x milestone Aug 14, 2019
@jasongrout jasongrout added this to the 1.1 milestone Aug 14, 2019
@jupyterlab-dev-mode
Copy link

@jupyterlab-dev-mode jupyterlab-dev-mode bot commented Aug 14, 2019

Thanks for making a pull request to JupyterLab!

To try out this branch on binder, follow this link: Binder

@jasongrout
Copy link
Contributor Author

@jasongrout jasongrout commented Aug 14, 2019

I think this could be backported to 1.0.x as well.

Note that there is some jinja trickery to get the full page config. We could eliminate that if jupyterlab_server included the base and ws urls in the page config variable passed in.

@jasongrout
Copy link
Contributor Author

@jasongrout jasongrout commented Aug 14, 2019

jasongrout added 2 commits Aug 16, 2019
urlencode will escape :, but we want to preserve : if there is a full url.
Copy link
Member

@blink1073 blink1073 left a comment

Thanks!

@blink1073 blink1073 merged commit 285ce00 into jupyterlab:master Aug 16, 2019
7 of 9 checks passed
@blink1073
Copy link
Member

@blink1073 blink1073 commented Aug 16, 2019

@meeseeksdev backport to 1.0.x

meeseeksmachine pushed a commit to meeseeksmachine/jupyterlab that referenced this issue Aug 16, 2019
blink1073 added a commit that referenced this issue Aug 16, 2019
…6-on-1.0.x

Backport PR #7016 on branch 1.0.x (Properly escape template variables)
@lock lock bot locked as resolved and limited conversation to collaborators Sep 15, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

2 participants