From 3ab41641cf6fce3860c73d5cf4645aa12e1e5892 2015-09-01 14:29:25 From: Matthias Bussonnier Date: 2015-09-01 14:29:25 Subject: [PATCH] Fix XSS reported on Security list No CVE-ID yet August 18, 2015 ----- Reported to Quantopian by Juan Broullón ... If you create a new folder in the iPython file browser and set Javascript code as its name the code injected will be executed. So, if I create a folder called "> and then I access to it, the cookies will be prompted. The XSS code is also executed if you access a link pointing directly at the folder. jik ------ --- diff --git a/IPython/html/notebookapp.py b/IPython/html/notebookapp.py index 0464144..094812b 100644 --- a/IPython/html/notebookapp.py +++ b/IPython/html/notebookapp.py @@ -158,7 +158,9 @@ class NotebookWebApplication(web.Application): _template_path = (_template_path,) template_path = [os.path.expanduser(path) for path in _template_path] - jenv_opt = jinja_env_options if jinja_env_options else {} + jenv_opt = {"autoescape": True} + jenv_opt.update(jinja_env_options if jinja_env_options else {}) + env = Environment(loader=FileSystemLoader(template_path), **jenv_opt) sys_info = get_sys_info()