From df5cb60d58e5a159da1b33a9d7e7ea14e8637853 Mon Sep 17 00:00:00 2001
From: martinRenou <martin.renou@gmail.com>
Date: Thu, 28 Jul 2022 13:46:40 +0200
Subject: [PATCH] GHSL-2021-1023

---
 .../tests/files/notebook_inject.ipynb         | 34 +++++++++++++++++++
 nbconvert/exporters/tests/test_html.py        |  4 +++
 .../nbconvert/templates/classic/base.html.j2  |  4 +--
 .../nbconvert/templates/lab/base.html.j2      |  4 +--
 4 files changed, 42 insertions(+), 4 deletions(-)

diff --git a/nbconvert/exporters/tests/files/notebook_inject.ipynb b/nbconvert/exporters/tests/files/notebook_inject.ipynb
index 2c745d666..8f3c8dd53 100644
--- a/nbconvert/exporters/tests/files/notebook_inject.ipynb
+++ b/nbconvert/exporters/tests/files/notebook_inject.ipynb
@@ -102,6 +102,40 @@
       }
     ],
     "source": [""]
+   },
+   {
+    "cell_type": "code",
+    "execution_count": null,
+    "id": "b72e635a",
+    "metadata": {},
+    "outputs": [
+      {
+        "output_type": "execute_result",
+        "data": {
+          "image/png": ["\"><script>alert('image/png output')</script>"]
+        },
+        "execution_count": null,
+        "metadata": {}
+      }
+    ],
+    "source": [""]
+   },
+   {
+    "cell_type": "code",
+    "execution_count": null,
+    "id": "p72e635a",
+    "metadata": {},
+    "outputs": [
+      {
+        "output_type": "execute_result",
+        "data": {
+          "image/jpeg": ["\"><script>alert('image/jpeg output')</script>"]
+        },
+        "execution_count": null,
+        "metadata": {}
+      }
+    ],
+    "source": [""]
    }
  ],
  "metadata": {
diff --git a/nbconvert/exporters/tests/test_html.py b/nbconvert/exporters/tests/test_html.py
index b17e63a3c..d870ea302 100644
--- a/nbconvert/exporters/tests/test_html.py
+++ b/nbconvert/exporters/tests/test_html.py
@@ -159,3 +159,7 @@ def test_javascript_injection(self):
             # Check injection in image filenames
             assert "<script>alert('png filenames')</script>" not in output
             assert "<script>alert('jpg filenames')</script>" not in output
+
+            # Check injection in image data
+            assert "<script>alert('image/png output')</script>" not in output
+            assert "<script>alert('image/jpeg output')</script>" not in output
diff --git a/share/jupyter/nbconvert/templates/classic/base.html.j2 b/share/jupyter/nbconvert/templates/classic/base.html.j2
index bdc89bebc..70f87f274 100644
--- a/share/jupyter/nbconvert/templates/classic/base.html.j2
+++ b/share/jupyter/nbconvert/templates/classic/base.html.j2
@@ -158,7 +158,7 @@ unknown type  {{ cell.type }}
 {%- if 'image/png' in output.metadata.get('filenames', {}) %}
 <img src="{{ output.metadata.filenames['image/png'] | posix_path | escape_html }}"
 {%- else %}
-<img src="data:image/png;base64,{{ output.data['image/png'] }}"
+<img src="data:image/png;base64,{{ output.data['image/png'] | escape_html }}"
 {%- endif %}
 {%- set width=output | get_metadata('width', 'image/png') -%}
 {%- if width is not none %}
@@ -184,7 +184,7 @@ alt="{{ alttext }}"
 {%- if 'image/jpeg' in output.metadata.get('filenames', {}) %}
 <img src="{{ output.metadata.filenames['image/jpeg'] | posix_path | escape_html }}"
 {%- else %}
-<img src="data:image/jpeg;base64,{{ output.data['image/jpeg'] }}"
+<img src="data:image/jpeg;base64,{{ output.data['image/jpeg'] | escape_html }}"
 {%- endif %}
 {%- set width=output | get_metadata('width', 'image/jpeg') -%}
 {%- if width is not none %}
diff --git a/share/jupyter/nbconvert/templates/lab/base.html.j2 b/share/jupyter/nbconvert/templates/lab/base.html.j2
index 9d330c216..37df56e04 100644
--- a/share/jupyter/nbconvert/templates/lab/base.html.j2
+++ b/share/jupyter/nbconvert/templates/lab/base.html.j2
@@ -176,7 +176,7 @@ unknown type  {{ cell.type }}
 {%- if 'image/png' in output.metadata.get('filenames', {}) %}
 <img src="{{ output.metadata.filenames['image/png'] | posix_path | escape_html }}"
 {%- else %}
-<img src="data:image/png;base64,{{ output.data['image/png'] }}"
+<img src="data:image/png;base64,{{ output.data['image/png'] | escape_html }}"
 {%- endif %}
 {%- set width=output | get_metadata('width', 'image/png') -%}
 {%- if width is not none %}
@@ -206,7 +206,7 @@ jp-needs-dark-background
 {%- if 'image/jpeg' in output.metadata.get('filenames', {}) %}
 <img src="{{ output.metadata.filenames['image/jpeg'] | posix_path | escape_html }}"
 {%- else %}
-<img src="data:image/jpeg;base64,{{ output.data['image/jpeg'] }}"
+<img src="data:image/jpeg;base64,{{ output.data['image/jpeg'] | escape_html }}"
 {%- endif %}
 {%- set width=output | get_metadata('width', 'image/jpeg') -%}
 {%- if width is not none %}