Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Properly escape template variables #7016

merged 4 commits into from Aug 16, 2019


Copy link

@jasongrout jasongrout commented Aug 14, 2019


See jupyterlab/jupyterlab_server#73 for another attempt at this in the server. This may conflict with that change (i.e., there may be double escaping with both that change and this change).

Fixes #7024.

Code changes

Add proper Jinja escapes to template variables. In particular, this escapes the JSON strings and urls added to the template.

Note that similar escaping should be added to the jupyterlab_server as well. However, since JupyterLab overrides the index.html template from jupyterlab_server, this PR is the one that affects JupyterLab itself.

User-facing changes


Backwards-incompatible changes

Should be none

@jasongrout jasongrout added this to the 1.0.x milestone Aug 14, 2019
@jasongrout jasongrout removed this from the 1.0.x milestone Aug 14, 2019
@jasongrout jasongrout added this to the 1.1 milestone Aug 14, 2019
Copy link

@jupyterlab-dev-mode jupyterlab-dev-mode bot commented Aug 14, 2019

Thanks for making a pull request to JupyterLab!

To try out this branch on binder, follow this link: Binder

Copy link
Contributor Author

@jasongrout jasongrout commented Aug 14, 2019

I think this could be backported to 1.0.x as well.

Note that there is some jinja trickery to get the full page config. We could eliminate that if jupyterlab_server included the base and ws urls in the page config variable passed in.

Copy link
Contributor Author

@jasongrout jasongrout commented Aug 14, 2019

jasongrout added 2 commits Aug 16, 2019
urlencode will escape :, but we want to preserve : if there is a full url.
Copy link

@blink1073 blink1073 left a comment


@blink1073 blink1073 merged commit 285ce00 into jupyterlab:master Aug 16, 2019
7 of 9 checks passed
Copy link

@blink1073 blink1073 commented Aug 16, 2019

@meeseeksdev backport to 1.0.x

meeseeksmachine pushed a commit to meeseeksmachine/jupyterlab that referenced this issue Aug 16, 2019
blink1073 added a commit that referenced this issue Aug 16, 2019

Backport PR #7016 on branch 1.0.x (Properly escape template variables)
@lock lock bot locked as resolved and limited conversation to collaborators Sep 15, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
None yet
Linked issues

Successfully merging this pull request may close these issues.

2 participants