From 4fbe14d8643d586a9ea81c992d8a7917ed309c00 2018-03-28 12:30:45
From: Cristian Ciupitu <cristian.ciupitu@yahoo.com>
Date: 2018-03-28 12:30:45
Subject: [PATCH] FileLink: escape HTML unsafe characters from path

path could contain HTML unsafe characters such as &, ', " or even < and
> on Unix, so they should be escaped before putting it into HTML code
both as text and the href attribute.

---

diff --git a/IPython/lib/display.py b/IPython/lib/display.py
index 1a5b2a7..70aa8aa 100644
--- a/IPython/lib/display.py
+++ b/IPython/lib/display.py
@@ -2,6 +2,7 @@
 
 Authors : MinRK, gregcaporaso, dannystaple
 """
+from html import escape as html_escape
 from os.path import exists, isfile, splitext, abspath, join, isdir
 from os import walk, sep, fsdecode
 
@@ -340,9 +341,10 @@ class FileLink(object):
         self.result_html_suffix = result_html_suffix
 
     def _format_path(self):
-        fp = ''.join([self.url_prefix,self.path])
+        fp = ''.join([self.url_prefix, html_escape(self.path)])
         return ''.join([self.result_html_prefix,
-                        self.html_link_str % (fp, self.path),
+                        self.html_link_str % \
+                            (fp, html_escape(self.path, quote=False)),
                         self.result_html_suffix])
 
     def _repr_html_(self):