Merge pull request ipython#5175 from jdfreder/html-take2

Audit .html() calls take ipython#2

IPython/html/static/notebook/js/codecell.js

@@ -481,6 +481,7 @@ var IPython = (function (IPython) {
         }
         this.input_prompt_number = number;
         var prompt_html = CodeCell.input_prompt_function(this.input_prompt_number, nline);
+        // This HTML call is okay because the user contents are escaped.
         this.element.find('div.input_prompt').html(prompt_html);
     };
 

IPython/html/static/notebook/js/outputarea.js

@@ -343,7 +343,8 @@ var IPython = (function (IPython) {
                 // Insert the subarea into the iframe
                 // We must directly write the html. When using Jquery's append
                 // method, javascript is evaluated in the parent document and
-                // not in the iframe document.
+                // not in the iframe document.  At this point, subarea doesn't
+                // contain any user content.
                 this.contentDocument.write(subarea.html());
 
                 this.contentDocument.close();
@@ -370,12 +371,10 @@ var IPython = (function (IPython) {
         // display a message when a javascript error occurs in display output
         var msg = "Javascript error adding output!"
         if ( element === undefined ) return;
-        element.append(
-            $('<div/>').html(msg + "<br/>" +
-                err.toString() +
-                '<br/>See your browser Javascript console for more details.'
-            ).addClass('js-error')
-        );
+        element
+            .append($('<div/>').text(msg).addClass('js-error'))
+            .append($('<div/>').text(err.toString()).addClass('js-error'))
+            .append($('<div/>').text('See your browser Javascript console for more details.').addClass('js-error'));
     };
 
     OutputArea.prototype._safe_append = function (toinsert) {
@@ -447,6 +446,8 @@ var IPython = (function (IPython) {
                 var pre = this.element.find('div.'+subclass).last().find('pre');
                 var html = utils.fixCarriageReturn(
                     pre.html() + utils.fixConsole(text));
+                // The only user content injected with this HTML call is
+                // escaped by the fixConsole() method.
                 pre.html(html);
                 return;
             }
@@ -548,6 +549,8 @@ var IPython = (function (IPython) {
         if (extra_class){
             toinsert.addClass(extra_class);
         }
+        // The only user content injected with this HTML call is
+        // escaped by the fixConsole() method.
         toinsert.append($("<pre/>").html(data));
         element.append(toinsert);
         return toinsert;

IPython/html/static/notebook/js/pager.js

@@ -164,6 +164,8 @@ var IPython = (function (IPython) {
     }
 
     Pager.prototype.append_text = function (text) {
+        // The only user content injected with this HTML call is escaped by
+        // the fixConsole() method.
         this.pager_element.find(".container").append($('<pre/>').html(utils.fixCarriageReturn(utils.fixConsole(text))));
     };
 

IPython/html/static/notebook/js/textcell.js

@@ -288,6 +288,8 @@ var IPython = (function (IPython) {
                 // make this value the starting point, so that we can only undo
                 // to this state, instead of a blank cell
                 this.code_mirror.clearHistory();
+                // TODO: This HTML needs to be treated as potentially dangerous
+                // user input and should be handled before set_rendered.         
                 this.set_rendered(data.rendered || '');
                 this.rendered = false;
                 this.render();
@@ -343,15 +345,20 @@ var IPython = (function (IPython) {
             math = text_and_math[1];
             var html = marked.parser(marked.lexer(text));
             html = $(IPython.mathjaxutils.replace_math(html, math));
-            // links in markdown cells should open in new tabs
+            // Links in markdown cells should open in new tabs.
             html.find("a[href]").not('[href^="#"]').attr("target", "_blank");
             try {
+                // TODO: This HTML needs to be treated as potentially dangerous
+                // user input and should be handled before set_rendered.         
                 this.set_rendered(html);
             } catch (e) {
                 console.log("Error running Javascript in Markdown:");
                 console.log(e);
-                this.set_rendered($("<div/>").addClass("js-error").html(
-                    "Error rendering Markdown!<br/>" + e.toString())
+                this.set_rendered(
+                    $("<div/>")
+                        .append($("<div/>").text('Error rendering Markdown!').addClass("js-error"))
+                        .append($("<div/>").text(e.toString()).addClass("js-error"))
+                        .html()
                 );
             }
             this.element.find('div.text_cell_input').hide();
@@ -531,7 +538,8 @@ var IPython = (function (IPython) {
                     .attr('href', '#' + hash)
                     .text('¶')
             );
-
+            // TODO: This HTML needs to be treated as potentially dangerous
+            // user input and should be handled before set_rendered.         
             this.set_rendered(h);
             this.typeset();
             this.element.find('div.text_cell_input').hide();

IPython/html/static/notebook/js/tooltip.js

@@ -373,6 +373,7 @@ var IPython = (function (IPython) {
         this.tooltip.fadeIn('fast');
         this.text.children().remove();
 
+        // Any HTML within the docstring is escaped by the fixConsole() method.
         var pre = $('<pre/>').html(utils.fixConsole(docstring));
         if (defstring) {
             var defstring_html = $('<pre/>').html(utils.fixConsole(defstring));