Fix XSS reported on Security list

No CVE-ID yet August 18, 2015 ----- Reported to Quantopian by Juan Broullón <thebrowfc@gmail.com>... If you create a new folder in the iPython file browser and set Javascript code as its name the code injected will be executed. So, if I create a folder called "><img src=x onerror=alert(document.cookie)> and then I access to it, the cookies will be prompted. The XSS code is also executed if you access a link pointing directly at the folder. jik ------
11 years ago · 35f32dd2da
parent 474a3bb04e
commit 35f32dd2da
1 changed files with 3 additions and 1 deletions
--- a/notebook/notebookapp.py
+++ b/notebook/notebookapp.py
@ -159,7 +159,9 @@ class NotebookWebApplication(web.Application):
            _template_path = (_template_path,)
        template_path = [os.path.expanduser(path) for path in _template_path]

-        jenv_opt = jinja_env_options if jinja_env_options else {}
+        jenv_opt = {"autoescape": True}
+        jenv_opt.update(jinja_env_options if jinja_env_options else {})
+
        env = Environment(loader=FileSystemLoader(template_path), **jenv_opt)
        
        sys_info = get_sys_info()