From bef65d7ab2a469b01e4aa25f44c0f20326f7c7c5 Mon Sep 17 00:00:00 2001 From: martinRenou Date: Mon, 1 Aug 2022 09:40:53 +0200 Subject: [PATCH] Convert input to string prior to escape HTML --- nbconvert/exporters/templateexporter.py | 9 +-------- .../tests/files/notebook_inject.ipynb | 19 +++++++++++++++++++ 2 files changed, 20 insertions(+), 8 deletions(-) diff --git a/nbconvert/exporters/templateexporter.py b/nbconvert/exporters/templateexporter.py index fc6a89b67..4b1d2a1fd 100644 --- a/nbconvert/exporters/templateexporter.py +++ b/nbconvert/exporters/templateexporter.py @@ -40,13 +40,6 @@ ) -def escape_html(s, quote=True): - if not isinstance(s, str): - return s - else: - return html.escape(s) - - default_filters = { "indent": filters.indent, "markdown2html": filters.markdown2html, @@ -78,7 +71,7 @@ def escape_html(s, quote=True): "convert_pandoc": filters.convert_pandoc, "json_dumps": json.dumps, # For removing any HTML - "escape_html": escape_html, + "escape_html": lambda s: html.escape(str(s)), # For sanitizing HTML for any XSS "clean_html": clean_html, "strip_trailing_newline": filters.strip_trailing_newline, diff --git a/nbconvert/exporters/tests/files/notebook_inject.ipynb b/nbconvert/exporters/tests/files/notebook_inject.ipynb index d88562564..a882b763a 100644 --- a/nbconvert/exporters/tests/files/notebook_inject.ipynb +++ b/nbconvert/exporters/tests/files/notebook_inject.ipynb @@ -156,6 +156,25 @@ ], "source": [""] }, + { + "cell_type": "code", + "execution_count": null, + "id": "d72e095a", + "metadata": {}, + "outputs": [ + { + "output_type": "execute_result", + "data": { + "image/png": ["abcd"] + }, + "execution_count": null, + "metadata": { + "width": [">"] + } + } + ], + "source": [""] + }, { "cell_type": "code", "execution_count": null,