GHSL-2021-1018

nbconvert/exporters/tests/files/notebook_inject.ipynb

@@ -25,7 +25,24 @@
     "source": [
       "<script>alert('markdown cell')</script>"
     ]
-  }
+  },
+  {
+    "cell_type": "code",
+    "execution_count": null,
+    "id": "b72e53fa",
+    "metadata": {},
+    "outputs": [
+     {
+      "output_type": "execute_result",
+      "data": {
+        "image/svg+xml": ["<script>alert('image/svg+xml output')</script>"]
+      },
+      "execution_count": null,
+      "metadata": {}
+     }
+    ],
+    "source": [""]
+   }
  ],
  "metadata": {
   "title": "TITLE</title><script>alert('title')</script>",
@@ -47,7 +64,7 @@
    "version": "3.10.5"
   },
   "widgets": {
-    "application/vnd.jupyter.widget-state+json": {"foo": "pwntester</script><script>alert('widgets');//"}
+    "application/vnd.jupyter.widget-state+json": {"state": "{}", "foo": "pwntester</script><script>alert('widgets');//"}
   }
  },
  "nbformat": 4,

nbconvert/exporters/tests/test_html.py

@@ -151,3 +151,6 @@ def test_javascript_injection(self):
             # Check injection in the cell.source of the Notebook
             assert "<script>alert('raw cell')</script>" not in output
             assert "<script>alert('markdown cell')</script>" not in output
+
+            # Check injection in svg output
+            assert "<script>alert('image/svg+xml output')</script>" not in output

share/jupyter/nbconvert/templates/classic/base.html.j2

@@ -126,7 +126,7 @@ unknown type  {{ cell.type }}
 {%- if output.svg_filename %}
 <img src="{{ output.svg_filename | posix_path }}">
 {%- else %}
-{{ output.data['image/svg+xml'] }}
+{{ output.data['image/svg+xml'] | clean_html }}
 {%- endif %}
 </div>
 {%- endblock data_svg %}

share/jupyter/nbconvert/templates/lab/base.html.j2

@@ -154,7 +154,7 @@ unknown type  {{ cell.type }}
 {%- if output.svg_filename %}
 <img src="{{ output.svg_filename | posix_path }}">
 {%- else %}
-{{ output.data['image/svg+xml'] }}
+{{ output.data['image/svg+xml'] | clean_html }}
 {%- endif %}
 </div>
 {%- endblock data_svg %}