GHSL-2021-1023

martinRenou · SylvainCorlay · commit df5cb60d58e5 · 2022-08-09T14:31:09.000+02:00
diff --git a/nbconvert/exporters/tests/files/notebook_inject.ipynb b/nbconvert/exporters/tests/files/notebook_inject.ipynb
@@ -102,6 +102,40 @@
       }
     ],
     "source": [""]
+   },
+   {
+    "cell_type": "code",
+    "execution_count": null,
+    "id": "b72e635a",
+    "metadata": {},
+    "outputs": [
+      {
+        "output_type": "execute_result",
+        "data": {
+          "image/png": ["\"><script>alert('image/png output')</script>"]
+        },
+        "execution_count": null,
+        "metadata": {}
+      }
+    ],
+    "source": [""]
+   },
+   {
+    "cell_type": "code",
+    "execution_count": null,
+    "id": "p72e635a",
+    "metadata": {},
+    "outputs": [
+      {
+        "output_type": "execute_result",
+        "data": {
+          "image/jpeg": ["\"><script>alert('image/jpeg output')</script>"]
+        },
+        "execution_count": null,
+        "metadata": {}
+      }
+    ],
+    "source": [""]
    }
  ],
  "metadata": {
diff --git a/nbconvert/exporters/tests/test_html.py b/nbconvert/exporters/tests/test_html.py
@@ -159,3 +159,7 @@ def test_javascript_injection(self):
             # Check injection in image filenames
             assert "<script>alert('png filenames')</script>" not in output
             assert "<script>alert('jpg filenames')</script>" not in output
+
+            # Check injection in image data
+            assert "<script>alert('image/png output')</script>" not in output
+            assert "<script>alert('image/jpeg output')</script>" not in output
diff --git a/share/jupyter/nbconvert/templates/classic/base.html.j2 b/share/jupyter/nbconvert/templates/classic/base.html.j2
@@ -158,7 +158,7 @@ unknown type  {{ cell.type }}
 {%- if 'image/png' in output.metadata.get('filenames', {}) %}
 <img src="{{ output.metadata.filenames['image/png'] | posix_path | escape_html }}"
 {%- else %}
-<img src="data:image/png;base64,{{ output.data['image/png'] }}"
+<img src="data:image/png;base64,{{ output.data['image/png'] | escape_html }}"
 {%- endif %}
 {%- set width=output | get_metadata('width', 'image/png') -%}
 {%- if width is not none %}
@@ -184,7 +184,7 @@ alt="{{ alttext }}"
 {%- if 'image/jpeg' in output.metadata.get('filenames', {}) %}
 <img src="{{ output.metadata.filenames['image/jpeg'] | posix_path | escape_html }}"
 {%- else %}
-<img src="data:image/jpeg;base64,{{ output.data['image/jpeg'] }}"
+<img src="data:image/jpeg;base64,{{ output.data['image/jpeg'] | escape_html }}"
 {%- endif %}
 {%- set width=output | get_metadata('width', 'image/jpeg') -%}
 {%- if width is not none %}
diff --git a/share/jupyter/nbconvert/templates/lab/base.html.j2 b/share/jupyter/nbconvert/templates/lab/base.html.j2
@@ -176,7 +176,7 @@ unknown type  {{ cell.type }}
 {%- if 'image/png' in output.metadata.get('filenames', {}) %}
 <img src="{{ output.metadata.filenames['image/png'] | posix_path | escape_html }}"
 {%- else %}
-<img src="data:image/png;base64,{{ output.data['image/png'] }}"
+<img src="data:image/png;base64,{{ output.data['image/png'] | escape_html }}"
 {%- endif %}
 {%- set width=output | get_metadata('width', 'image/png') -%}
 {%- if width is not none %}
@@ -206,7 +206,7 @@ jp-needs-dark-background
 {%- if 'image/jpeg' in output.metadata.get('filenames', {}) %}
 <img src="{{ output.metadata.filenames['image/jpeg'] | posix_path | escape_html }}"
 {%- else %}
-<img src="data:image/jpeg;base64,{{ output.data['image/jpeg'] }}"
+<img src="data:image/jpeg;base64,{{ output.data['image/jpeg'] | escape_html }}"
 {%- endif %}
 {%- set width=output | get_metadata('width', 'image/jpeg') -%}
 {%- if width is not none %}
