sanitize notebook titles
Closed this issue · 1 comments
gordonwoodhull commented
It is possible to put a JS payload into a notebook title.
Once this happens, any refresh to the notebook tree causes the JS to run.
We need to sanitize notebook titles so that this doesn't happen.
gordonwoodhull commented
The notebook tree is safe here - the issue was in the recent notebooks list, so it actually couldn't affect other users.
The safe way to load such text is using the web framework's text input instead of html input, in this case
.append($desc = $('<span class="description"></span>').text(desc))
instead of
.append($desc = $('<span class="description">'+desc+'</span>'))
(also .text()
vs .html()
in D3)