From d7fd3e2803afec591abbb3dc32eeab00fa095207 Mon Sep 17 00:00:00 2001 From: Min RK Date: Tue, 26 Jul 2016 14:01:16 +0200 Subject: [PATCH] use `$.text` to put latex on the page instead of `$.append` does proper escaping of latex that might be interpreted as HTML tags Fix CVE-2016-6524 --- notebook/static/notebook/js/outputarea.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/notebook/static/notebook/js/outputarea.js b/notebook/static/notebook/js/outputarea.js index f04f73577..97d95835b 100644 --- a/notebook/static/notebook/js/outputarea.js +++ b/notebook/static/notebook/js/outputarea.js @@ -754,7 +754,7 @@ define([ */ var type = 'text/latex'; var toinsert = this.create_output_subarea(md, "output_latex", type); - toinsert.append(latex); + toinsert.text(latex); element.append(toinsert); return toinsert; };