From 228ee9182172a23ff0c9a0a3692cd1d6e21a37ff Mon Sep 17 00:00:00 2001
From: Jason Grout <jgrout6@bloomberg.net>
Date: Wed, 14 Aug 2019 16:02:54 -0700
Subject: [PATCH 1/4] Properly escape template variables

---
 dev_mode/templates/partial.html | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/dev_mode/templates/partial.html b/dev_mode/templates/partial.html
index 673b9c52d8f8..e94ef617fe8d 100644
--- a/dev_mode/templates/partial.html
+++ b/dev_mode/templates/partial.html
@@ -1,12 +1,14 @@
-  <script id="jupyter-config-data" type="application/json">{
-    {% for key, value in page_config.items() -%}
-    "{{ key }}": "{{ value }}",
-    {% endfor -%}
-    "baseUrl": "{{ base_url }}",
-    "wsUrl": "{{ ws_url }}"
-  }</script>
+{# Copy so we do not modify the page_config with updates. #}
+{% set page_config_full = page_config.copy() %}
+
+{# Set a dummy variable - we just want the side effect of the update. #}
+{% set _ = page_config_full.update(baseUrl=base_url, wsUrl=ws_url) %}
+
+  <script id="jupyter-config-data" type="application/json">
+    {{ page_config_full | tojson }}
+  </script>
 
   {% block favicon %}
-  <link rel="icon" type="image/x-icon" href="{{ base_url }}static/base/images/favicon.ico" class="idle favicon">
-  <link rel="" type="image/x-icon" href="{{ base_url }}static/base/images/favicon-busy-1.ico" class="busy favicon">
+  <link rel="icon" type="image/x-icon" href="{{ base_url | urlencode }}static/base/images/favicon.ico" class="idle favicon">
+  <link rel="" type="image/x-icon" href="{{ base_url | urlencode }}static/base/images/favicon-busy-1.ico" class="busy favicon">
   {% endblock %}

From f655977f43b5bd3f79ba54efd6a0f453e235dbb9 Mon Sep 17 00:00:00 2001
From: Jason Grout <jgrout6@bloomberg.net>
Date: Fri, 16 Aug 2019 09:41:17 -0700
Subject: [PATCH 2/4] Do not try to overly escape the notebook version info
 anymore.

---
 jupyterlab/extension.py | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/jupyterlab/extension.py b/jupyterlab/extension.py
index f82aedf60247..cb6559018255 100644
--- a/jupyterlab/extension.py
+++ b/jupyterlab/extension.py
@@ -141,13 +141,9 @@ def load_jupyter_server_extension(nbapp):
     page_config['devMode'] = dev_mode
     page_config['token'] = nbapp.token
 
-    # Export the version info tuple to a JSON array. This gets printed
-    # inside double quote marks, so we render it to a JSON string of the
-    # JSON data (so that we can call JSON.parse on the frontend on it).
-    # We also have to wrap it in `Markup` so that it isn't escaped
-    # by Jinja. Otherwise, if the version has string parts these will be
-    # escaped and then will have to be unescaped on the frontend.
-    page_config['notebookVersion'] = Markup(dumps(dumps(version_info))[1:-1])
+    # Client-side code assumes notebookVersion is a JSON-encoded string
+    # TODO: fix this when we can make such a change
+    page_config['notebookVersion'] = dumps(version_info)
 
     if nbapp.file_to_run and type(nbapp).__name__ == "LabApp":
         relpath = os.path.relpath(nbapp.file_to_run, nbapp.notebook_dir)

From d81f6d88317318200b36f4ed43696edb5cc7f519 Mon Sep 17 00:00:00 2001
From: Jason Grout <jgrout6@bloomberg.net>
Date: Fri, 16 Aug 2019 11:41:29 -0700
Subject: [PATCH 3/4] Escape instead of url encode in the jinja template

urlencode will escape :, but we want to preserve : if there is a full url.
---
 dev_mode/templates/partial.html | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/dev_mode/templates/partial.html b/dev_mode/templates/partial.html
index e94ef617fe8d..daf8a06290fb 100644
--- a/dev_mode/templates/partial.html
+++ b/dev_mode/templates/partial.html
@@ -9,6 +9,6 @@
   </script>
 
   {% block favicon %}
-  <link rel="icon" type="image/x-icon" href="{{ base_url | urlencode }}static/base/images/favicon.ico" class="idle favicon">
-  <link rel="" type="image/x-icon" href="{{ base_url | urlencode }}static/base/images/favicon-busy-1.ico" class="busy favicon">
+  <link rel="icon" type="image/x-icon" href="{{ base_url | escape }}static/base/images/favicon.ico" class="idle favicon">
+  <link rel="" type="image/x-icon" href="{{ base_url | escape }}static/base/images/favicon-busy-1.ico" class="busy favicon">
   {% endblock %}

From 11828db625813d3573cb48281d967ff70edc7e7e Mon Sep 17 00:00:00 2001
From: Jason Grout <jgrout6@bloomberg.net>
Date: Fri, 16 Aug 2019 11:58:59 -0700
Subject: [PATCH 4/4] Correct escaping in other templates we distribute.

---
 dev_mode/templates/error.html                 |  4 ++--
 examples/app/templates/error.html             |  8 ++++----
 examples/app/templates/index.html             | 20 ++++++++++---------
 examples/cell/index.html                      | 11 +++++-----
 examples/console/index.html                   | 12 ++++++-----
 examples/filebrowser/index.html               | 12 ++++++-----
 examples/notebook/index.html                  |  2 +-
 examples/terminal/index.html                  | 13 ++++++------
 .../examples/browser-require/index.html       |  9 +++++++--
 packages/services/examples/browser/index.html |  9 +++++++--
 .../typescript-browser-with-output/index.html |  9 +++++++--
 11 files changed, 66 insertions(+), 43 deletions(-)

diff --git a/dev_mode/templates/error.html b/dev_mode/templates/error.html
index 5c389852810e..70158728d1ca 100644
--- a/dev_mode/templates/error.html
+++ b/dev_mode/templates/error.html
@@ -8,7 +8,7 @@
 <head>
   <meta charset="utf-8">
 
-  <title>{% block title %}{{page_title}}{% endblock %}</title>
+  <title>{% block title %}{{page_title | escape}}{% endblock %}</title>
 
   {% block favicon %}<link rel="shortcut icon" type="image/x-icon" href="/static/base/images/favicon.ico">{% endblock %}
 
@@ -30,7 +30,7 @@
     {% block h1_error %}
     <h2>JupyterLab assets not detected, please rebuild</h2>
     <script>
-    console.error('Missing assets in "{{static_dir}}"');
+    console.error('Missing assets in "{{static_dir | escape}}"');
     </script>
     {% endblock h1_error %}
 </header>
diff --git a/examples/app/templates/error.html b/examples/app/templates/error.html
index 266937fb4bae..4e66c111301d 100644
--- a/examples/app/templates/error.html
+++ b/examples/app/templates/error.html
@@ -8,7 +8,7 @@
 <head>
   <meta charset="utf-8">
 
-  <title>{% block title %}{{page_title}}{% endblock %}</title>
+  <title>{% block title %}{{page_title | e}}{% endblock %}</title>
 
   {% block favicon %}<link rel="shortcut icon" type="image/x-icon" href="/static/base/images/favicon.ico">{% endblock %}
 
@@ -28,13 +28,13 @@
 
 <div class="error">
     {% block h1_error %}
-    <h1>{{status_code}} : {{status_message}}</h1>
+    <h1>{{status_code | e}} : {{status_message | e}}</h1>
     {% endblock h1_error %}
     {% block error_detail %}
     {% if message %}
     <p>The error was:</p>
     <div class="traceback-wrapper">
-    <pre class="traceback">{{message}}</pre>
+    <pre class="traceback">{{message | e}}</pre>
     </div>
     {% endif %}
     {% endblock %}
@@ -48,7 +48,7 @@ <h1>{{status_code}} : {{status_message}}</h1>
   var tb = document.getElementsByClassName('traceback')[0];
   tb.scrollTop = tb.scrollHeight;
   {% if message %}
-  console.error("{{message}}")
+  console.error("{{message | e}}")
   {% endif %}
 };
 </script>
diff --git a/examples/app/templates/index.html b/examples/app/templates/index.html
index b1e54724ced0..de1de05687fb 100644
--- a/examples/app/templates/index.html
+++ b/examples/app/templates/index.html
@@ -1,17 +1,19 @@
 <!DOCTYPE html>
 <html>
 <head>
-  <title>{{page_config['appName']}}</title>
+  <title>{{page_config['appName'] | e}}</title>
 </head>
 <body>
-  <script id='jupyter-config-data' type="application/json">{
-  {% for key, value in page_config.items() -%}
-  "{{ key }}": "{{ value }}",
-  {% endfor -%}
-  "baseUrl": "{{base_url}}",
-  "wsUrl": "{{ws_url}}"
- }</script>
-  <script src="{{page_config['fullStaticUrl']}}/bundle.js" main="index"></script>
+    {# Copy so we do not modify the page_config with updates. #}
+    {% set page_config_full = page_config.copy() %}
+    
+    {# Set a dummy variable - we just want the side effect of the update. #}
+    {% set _ = page_config_full.update(baseUrl=base_url, wsUrl=ws_url) %}
+    
+      <script id="jupyter-config-data" type="application/json">
+        {{ page_config_full | tojson }}
+      </script>
+  <script src="{{page_config['fullStaticUrl'] | e}}/bundle.js" main="index"></script>
 
   <script type="text/javascript">
     /* Remove token from URL. */
diff --git a/examples/cell/index.html b/examples/cell/index.html
index 5bcfc72f0036..dad7819b0908 100644
--- a/examples/cell/index.html
+++ b/examples/cell/index.html
@@ -5,11 +5,12 @@
     <script type="text/javascript" src="https://cdn.mathjax.org/mathjax/latest/MathJax.js?config=TeX-AMS_CHTML-full,Safe&amp;delayStartupUntil=configured"></script>
   </head>
   <body>
-    <script id='jupyter-config-data' type="application/json">{
-        "baseUrl": "{{base_url}}",
-        "token": "{{token}}"
-    }</script>
-    <script src="{{base_url}}example/bundle.js"></script>
+      {% set page_config_full = {'baseUrl': base_url, 'token': token} %}
+      
+        <script id="jupyter-config-data" type="application/json">
+          {{ page_config_full | tojson }}
+        </script>
+    <script src="{{base_url | e}}example/bundle.js"></script>
 
     <script type="text/javascript">
       /* Remove token from URL. */
diff --git a/examples/console/index.html b/examples/console/index.html
index 3873caab7f53..b4760b019fac 100644
--- a/examples/console/index.html
+++ b/examples/console/index.html
@@ -5,11 +5,13 @@
     <script type="text/javascript" src="https://cdn.mathjax.org/mathjax/latest/MathJax.js?config=TeX-AMS_CHTML-full,Safe&amp;delayStartupUntil=configured"></script>
   </head>
   <body>
-    <script id='jupyter-config-data' type="application/json">{
-        "baseUrl": "{{base_url}}",
-        "token": "{{token}}"
-    }</script>
-    <script src="{{base_url}}example/bundle.js"></script>
+    {% set page_config_full = {'baseUrl': base_url, 'token': token} %}
+    
+    <script id="jupyter-config-data" type="application/json">
+      {{ page_config_full | tojson }}
+    </script>
+  
+    <script src="{{base_url | e}}example/bundle.js"></script>
 
     <script type="text/javascript">
       /* Remove token from URL. */
diff --git a/examples/filebrowser/index.html b/examples/filebrowser/index.html
index 02eea0112cf1..2ad0e3d6e6f1 100644
--- a/examples/filebrowser/index.html
+++ b/examples/filebrowser/index.html
@@ -4,11 +4,13 @@
     <title>FileBrowser Demo</title>
   </head>
   <body>
-    <script id='jupyter-config-data' type="application/json">{
-        "baseUrl": "{{base_url}}",
-        "token": "{{token}}"
-    }</script>
-    <script src="{{base_url}}example/bundle.js"></script>
+    {% set page_config_full = {'baseUrl': base_url, 'token': token} %}
+    
+    <script id="jupyter-config-data" type="application/json">
+      {{ page_config_full | tojson }}
+    </script>
+  
+    <script src="{{base_url | e}}example/bundle.js"></script>
 
     <script type="text/javascript">
       /* Remove token from URL. */
diff --git a/examples/notebook/index.html b/examples/notebook/index.html
index 9ebc5ff75c57..6947b8cfda5b 100644
--- a/examples/notebook/index.html
+++ b/examples/notebook/index.html
@@ -7,7 +7,7 @@
     <script id='jupyter-config-data' type="application/json">
       {{ config_data|tojson }}
     </script>
-    <script src="{{config_data['frontendUrl']}}bundle.js"></script>
+    <script src="{{config_data['frontendUrl'] | e}}bundle.js"></script>
 
     <script type="text/javascript">
       /* Remove token from URL. */
diff --git a/examples/terminal/index.html b/examples/terminal/index.html
index 287dd3b6c6e8..191f22e81049 100644
--- a/examples/terminal/index.html
+++ b/examples/terminal/index.html
@@ -4,12 +4,13 @@
     <title>Terminal Demo</title>
   </head>
   <body>
-    <script id='jupyter-config-data' type="application/json">{
-      "baseUrl": "{{base_url}}",
-      "terminalsAvailable": "{{terminals_available}}",
-      "token": "{{token}}"
-    }</script>
-    <script src="{{base_url}}example/bundle.js"></script>
+    {% set page_config_full = {'baseUrl': base_url, 'token': token, 'terminalsAvailable': terminals_available} %}
+    
+    <script id="jupyter-config-data" type="application/json">
+      {{ page_config_full | tojson }}
+    </script>
+  
+    <script src="{{base_url | e}}example/bundle.js"></script>
 
     <script type="text/javascript">
       /* Remove token from URL. */
diff --git a/packages/services/examples/browser-require/index.html b/packages/services/examples/browser-require/index.html
index a5384c564a6d..08a88cc5d43d 100644
--- a/packages/services/examples/browser-require/index.html
+++ b/packages/services/examples/browser-require/index.html
@@ -10,7 +10,12 @@
     </style>
   </head>
   <body>
-    <script id='jupyter-config-data' type="application/json">{ "baseUrl": "{{base_url}}" }</script>
+    {% set page_config_full = {'baseUrl': base_url} %}
+  
+    <script id="jupyter-config-data" type="application/json">
+      {{ page_config_full | tojson }}
+    </script>
+  
     <h1>Run code!</h1>
     <p>
       Type code in the text area and click run to execute it.
@@ -33,6 +38,6 @@ <h1>Run code!</h1>
         }
     });
     </script>
-    <script src="{{base_url}}example/index.js"></script>
+    <script src="{{base_url | e}}example/index.js"></script>
   </body>
 </html>
diff --git a/packages/services/examples/browser/index.html b/packages/services/examples/browser/index.html
index dae0c538837f..89b619961b05 100644
--- a/packages/services/examples/browser/index.html
+++ b/packages/services/examples/browser/index.html
@@ -5,8 +5,13 @@
     <script src="https://cdnjs.cloudflare.com/ajax/libs/require.js/2.2.0/require.js"></script>
   </head>
   <body>
-    <script id='jupyter-config-data' type="application/json">{ "baseUrl": "{{base_url}}" }</script>
-    <script src="{{base_url}}example/bundle.js"></script>
+    {% set page_config_full = {'baseUrl': base_url} %}
+
+    <script id="jupyter-config-data" type="application/json">
+      {{ page_config_full | tojson }}
+    </script>
+  
+    <script src="{{base_url | e}}example/bundle.js"></script>
     <pre id='output'></pre>
   </body>
 </html>
diff --git a/packages/services/examples/typescript-browser-with-output/index.html b/packages/services/examples/typescript-browser-with-output/index.html
index 187fbe1f4f8b..7daa5a6c105e 100644
--- a/packages/services/examples/typescript-browser-with-output/index.html
+++ b/packages/services/examples/typescript-browser-with-output/index.html
@@ -5,8 +5,13 @@
     <script src="https://cdnjs.cloudflare.com/ajax/libs/require.js/2.2.0/require.js"></script>
   </head>
   <body>
-    <script id='jupyter-config-data' type="application/json">{ "baseUrl": "{{base_url}}" }</script>
-    <script src="{{base_url}}example/bundle.js"></script>
+    {% set page_config_full = {'baseUrl': base_url} %}
+
+    <script id="jupyter-config-data" type="application/json">
+      {{ page_config_full | tojson }}
+    </script>
+
+    <script src="{{base_url | e}}example/bundle.js"></script>
     <span id='outputarea'></span>
   </body>
 </html>