From 4fbe14d8643d586a9ea81c992d8a7917ed309c00 2018-03-28 12:30:45 From: Cristian Ciupitu Date: 2018-03-28 12:30:45 Subject: [PATCH] FileLink: escape HTML unsafe characters from path path could contain HTML unsafe characters such as &, ', " or even < and > on Unix, so they should be escaped before putting it into HTML code both as text and the href attribute. --- diff --git a/IPython/lib/display.py b/IPython/lib/display.py index 1a5b2a7..70aa8aa 100644 --- a/IPython/lib/display.py +++ b/IPython/lib/display.py @@ -2,6 +2,7 @@ Authors : MinRK, gregcaporaso, dannystaple """ +from html import escape as html_escape from os.path import exists, isfile, splitext, abspath, join, isdir from os import walk, sep, fsdecode @@ -340,9 +341,10 @@ class FileLink(object): self.result_html_suffix = result_html_suffix def _format_path(self): - fp = ''.join([self.url_prefix,self.path]) + fp = ''.join([self.url_prefix, html_escape(self.path)]) return ''.join([self.result_html_prefix, - self.html_link_str % (fp, self.path), + self.html_link_str % \ + (fp, html_escape(self.path, quote=False)), self.result_html_suffix]) def _repr_html_(self):