GHSL-2021-1026, GHSL-2021-1025

Also removing the block data_widget_state which is never used (leftover
from an old implementation), making GHSL-2021-1025 irrelevant

Author: martinRenou

nbconvert/exporters/tests/files/notebook_inject.ipynb

@@ -159,7 +159,7 @@
    {
     "cell_type": "code",
     "execution_count": null,
-    "id": "d72e635a",
+    "id": "ae4f574d",
     "metadata": {},
     "outputs": [
       {
@@ -174,6 +174,23 @@
       }
     ],
     "source": [""]
+   },
+   {
+    "cell_type": "code",
+    "execution_count": null,
+    "id": "w72e635a",
+    "metadata": {},
+    "outputs": [
+      {
+        "output_type": "execute_result",
+        "data": {
+         "application/vnd.jupyter.widget-view+json": {"model_id": "wid1", "foo": "\"</script><script>alert('output.data.application/vnd.jupyter.widget-view+json injection')//"}
+        },
+        "execution_count": null,
+        "metadata": {}
+       }
+    ],
+    "source": [""]
    }
  ],
  "metadata": {
@@ -196,7 +213,7 @@
    "version": "3.10.5"
   },
   "widgets": {
-    "application/vnd.jupyter.widget-state+json": {"state": "{}", "foo": "pwntester</script><script>alert('widgets');//"}
+    "application/vnd.jupyter.widget-state+json": {"state": {"wid1": {}}, "foo": "pwntester</script><script>alert('widgets');//"}
   }
  },
  "nbformat": 4,

nbconvert/exporters/tests/test_html.py

@@ -167,3 +167,6 @@ def test_javascript_injection(self):
             # Check injection in image width/height
             assert "<script>alert('output.metadata.width png injection')</script>" not in output
             assert "<script>alert('output.metadata.height png injection')</script>" not in output
+
+            # Check injection in widget view
+            assert "<script>alert('output.data.application/vnd.jupyter.widget-view+json injection')" not in output

share/jupyter/nbconvert/templates/classic/base.html.j2

@@ -241,20 +241,6 @@ var element = $('#{{ div_id }}');
 </div>
 {%- endblock -%}
 
-{%- block data_widget_state scoped %}
-{% set div_id = uuid4() %}
-{% set datatype_list = output.data | filter_data_type %}
-{% set datatype = datatype_list[0]%}
-<div id="{{ div_id }}" class="output_subarea output_widget_state {{ extra_class }}">
-<script type="text/javascript">
-var element = $('#{{ div_id }}');
-</script>
-<script type="{{ datatype }}">
-{{ output.data[datatype] | json_dumps }}
-</script>
-</div>
-{%- endblock data_widget_state -%}
-
 {%- block data_widget_view scoped %}
 {% set div_id = uuid4() %}
 {% set datatype_list = output.data | filter_data_type %}
@@ -264,7 +250,7 @@ var element = $('#{{ div_id }}');
 var element = $('#{{ div_id }}');
 </script>
 <script type="{{ datatype }}">
-{{ output.data[datatype] | json_dumps }}
+{{ output.data[datatype] | json_dumps | escape_html }}
 </script>
 </div>
 {%- endblock data_widget_view -%}

share/jupyter/nbconvert/templates/lab/base.html.j2

@@ -273,20 +273,6 @@ var element = document.getElementById('{{ div_id }}');
 </div>
 {%- endblock -%}
 
-{%- block data_widget_state scoped %}
-{% set div_id = uuid4() %}
-{% set datatype_list = output.data | filter_data_type %}
-{% set datatype = datatype_list[0]%}
-<div id="{{ div_id }}" class="output_subarea output_widget_state {{ extra_class }}">
-<script type="text/javascript">
-var element = document.getElementById('{{ div_id }}');
-</script>
-<script type="{{ datatype }}">
-{{ output.data[datatype] | json_dumps }}
-</script>
-</div>
-{%- endblock data_widget_state -%}
-
 {%- block data_widget_view scoped %}
 {% set div_id = uuid4() %}
 {% set datatype_list = output.data | filter_data_type %}
@@ -296,7 +282,7 @@ var element = document.getElementById('{{ div_id }}');
 var element = document.getElementById('{{ div_id }}');
 </script>
 <script type="{{ datatype }}">
-{{ output.data[datatype] | json_dumps }}
+{{ output.data[datatype] | json_dumps | escape_html }}
 </script>
 </div>
 {%- endblock data_widget_view -%}