Back to development

* Add and use sanitize_html_and_parse() function

* Describe return type in doc comment

* Reset htmlPrefilter even if parsing HTML fails

* Return directly from try block

* Move toinsert to inner scope

.travis.yml

@@ -35,19 +35,13 @@ before_install:
       if [[ $GROUP == js* ]]; then
         npm install -g casperjs@1.1.3 phantomjs-prebuilt@2.1.7
       fi
-    - git clone --quiet --depth 1 https://github.com/minrk/travis-wheels travis-wheels
     - |
       if [[ $GROUP == docs ]]; then
         pip install -r docs/doc-requirements.txt
       fi
 
 install:
-    - pip install -f travis-wheels/wheelhouse file://$PWD#egg=notebook[test]
-    - |
-      if [[ "$TRAVIS_PYTHON_VERSION" == "2.7" ]]; then
-        # Work around https://github.com/ipython/ipykernel/issues/288
-        pip install ipykernel==4.6.1
-      fi
+    - pip install --pre .[test]
     - wget https://github.com/jgm/pandoc/releases/download/1.19.1/pandoc-1.19.1-1-amd64.deb && sudo dpkg -i pandoc-1.19.1-1-amd64.deb
 
 

bower.json

@@ -10,7 +10,7 @@
     "font-awesome": "components/font-awesome#~4.7.0",
     "google-caja": "5669",
     "jed": "~1.1.1",
-    "jquery": "components/jquery#~2.0",
+    "jquery": "components/jquery#~2.2",
     "jquery-typeahead": "~2.0.0",
     "jquery-ui": "components/jqueryui#~1.10",
     "marked": "~0.3",

docs/doc-requirements.txt

@@ -1,3 +1,3 @@
 sphinx>=1.3.6
 sphinx-rtd-theme
-nbsphinx==0.2.14
+nbsphinx

docs/source/changelog.rst

@@ -13,6 +13,7 @@ For more detailed information, see
      upgrade to the latest release.
 
 .. we push for pip 9+ or it will break for Python 2 users when IPython 6 is out.
+
 We strongly recommend that you upgrade to version 9+ of pip before upgrading ``notebook``.
 
 .. tip::
@@ -20,10 +21,22 @@ We strongly recommend that you upgrade to version 9+ of pip before upgrading ``n
     Use ``pip install pip --upgrade`` to upgrade pip. Check pip version with
     ``pip --version``.
 
-.. _release-5.4:
+.. _release-5.4.1:
+
+5.4.1
+-----
+
+A security release to fix `CVE-2018-8768
+<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8768>`_.
 
-5.4
----
+Thanks to `Alex <https://hackerone.com/pisarenko>`__ for identifying this bug,
+and Jonathan Kamens and Scott Sanderson at Quantopian for verifying it and
+bringing it to our attention.
+
+.. _release-5.4.0:
+
+5.4.0
+-----
 
 - Fix creating files and folders after navigating directories in the dashboard
   (:ghpull:`3264`).
@@ -115,7 +128,7 @@ Thanks to the following contributors:
 - Matthias Bussonnier (`Carreau <https://github.com/Carreau>`__)
 - ChungJooHo (`ChungJooHo <https://github.com/ChungJooHo>`__)
 - edida (`edida <https://github.com/edida>`__)
-- Francesco Franchina (`ferdas <https://github.com/ferdas>`__)
+- Francesco Franchina (``ferdas``)
 - forbxy (`forbxy <https://github.com/forbxy>`__)
 - Grant Nestor (`gnestor <https://github.com/gnestor>`__)
 - Josh Barnes (`jcb91 <https://github.com/jcb91>`__)

notebook/_version.py

@@ -9,5 +9,5 @@ store the current version info of the notebook.
 
 # Next beta/alpha/rc release: The version number for beta is X.Y.ZbN **without dots**. 
 
-version_info = (5, 4, 0)
+version_info = (5, 4, 2, '.dev0')
 __version__ = '.'.join(map(str, version_info[:3])) + ''.join(version_info[3:])

notebook/services/kernels/tests/test_kernels_api.py

@@ -53,11 +53,12 @@ class KernelAPI(object):
 
     def websocket(self, id):
         loop = IOLoop()
+        loop.make_current()
         req = HTTPRequest(
             url_path_join(self.base_url.replace('http', 'ws', 1), 'api/kernels', id, 'channels'),
             headers=self.headers,
         )
-        f = websocket_connect(req, io_loop=loop)
+        f = websocket_connect(req)
         return loop.run_sync(lambda : f)
 
 

notebook/static/base/js/namespace.js

@@ -73,7 +73,7 @@ define(function(){
     // tree
     jglobal('SessionList','tree/js/sessionlist');
 
-    Jupyter.version = "5.4.0";
+    Jupyter.version = "5.4.2.dev0";
     Jupyter._target = '_blank';
     return Jupyter;
 });

notebook/static/base/js/security.js

@@ -122,9 +122,29 @@ define([
         
         return sanitized;
     };
+
+    var sanitize_html_and_parse = function (html, allow_css) {
+        /**
+         * Sanitize HTML and parse it safely using jQuery.
+         *
+         * This disable's jQuery's html 'prefilter', which can make invalid
+         * HTML valid after the sanitizer has checked it.
+         *
+         * Returns an array of DOM nodes.
+         */
+        var sanitized_html = sanitize_html(html, allow_css);
+        var prev_htmlPrefilter = $.htmlPrefilter;
+        $.htmlPrefilter = function(html) {return html;};  // Don't modify HTML
+        try {
+            return $.parseHTML(sanitized_html);
+        } finally {
+            $.htmlPrefilter = prev_htmlPrefilter;  // Set it back again
+        }
+    };
     
     var security = {
         caja: caja,
+        sanitize_html_and_parse: sanitize_html_and_parse,
         sanitize_html: sanitize_html
     };
 

notebook/static/notebook/js/outputarea.js

@@ -674,19 +674,23 @@ define([
             var type = OutputArea.display_order[i];
             var append = OutputArea.append_map[type];
             if ((json.data[type] !== undefined) && append) {
+                var md = json.metadata || {};
                 var value = json.data[type];
+                var toinsert;
                 if (!this.trusted && !OutputArea.safe_outputs[type]) {
                     // not trusted, sanitize HTML
                     if (type===MIME_HTML || type==='text/svg') {
-                        value = security.sanitize_html(value);
+                        var parsed = $(security.sanitize_html_and_parse(value));
+                        toinsert = append.apply(this, [parsed, md, element, handle_inserted]);
                     } else {
                         // don't display if we don't know how to sanitize it
                         console.log("Ignoring untrusted " + type + " output.");
                         continue;
                     }
+                } else {
+                    toinsert = append.apply(this, [value, md, element, handle_inserted]);
                 }
-                var md = json.metadata || {};
-                var toinsert = append.apply(this, [value, md, element, handle_inserted]);
+
                 // Since only the png and jpeg mime types call the inserted
                 // callback, if the mime type is something other we must call the 
                 // inserted callback only when the element is actually inserted

notebook/static/notebook/js/textcell.js

@@ -248,8 +248,7 @@ define([
                 // HTML <img>)
                 var text = this.get_text();
                 marked(text, function (err, html) {
-                    html = security.sanitize_html(html);
-                    html = $($.parseHTML(html));
+                    html = $(security.sanitize_html_and_parse(html));
                     html.find('img[src^="attachment:"]').each(function (i, h) {
                         h = $(h);
                         var key = h.attr('src').replace(/^attachment:/, '');
@@ -402,8 +401,7 @@ define([
             };
             marked(text, { renderer: renderer }, function (err, html) {
                 html = mathjaxutils.replace_math(html, math);
-                html = security.sanitize_html(html);
-                html = $($.parseHTML(html));
+                html = $(security.sanitize_html_and_parse(html));
                 // add anchors to headings
                 html.find(":header").addBack(":header").each(function (i, h) {
                     h = $(h);

notebook/tests/launchnotebook.py

@@ -135,6 +135,9 @@ class NotebookTestBase(TestCase):
 
         started = Event()
         def start_thread():
+            if 'asyncio' in sys.modules:
+                import asyncio
+                asyncio.set_event_loop(asyncio.new_event_loop())
             app = cls.notebook = NotebookApp(
                 port=cls.port,
                 port_retries=0,