New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Properly escape template variables #7016
Conversation
Thanks for making a pull request to JupyterLab! To try out this branch on binder, follow this link: |
I think this could be backported to 1.0.x as well. Note that there is some jinja trickery to get the full page config. We could eliminate that if jupyterlab_server included the base and ws urls in the page config variable passed in. |
CC @blink1073 |
urlencode will escape :, but we want to preserve : if there is a full url.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
@meeseeksdev backport to 1.0.x |
…6-on-1.0.x Backport PR #7016 on branch 1.0.x (Properly escape template variables)
References
See jupyterlab/jupyterlab_server#73 for another attempt at this in the server. This may conflict with that change (i.e., there may be double escaping with both that change and this change).
Fixes #7024.
Code changes
Add proper Jinja escapes to template variables. In particular, this escapes the JSON strings and urls added to the template.
Note that similar escaping should be added to the jupyterlab_server as well. However, since JupyterLab overrides the index.html template from jupyterlab_server, this PR is the one that affects JupyterLab itself.
User-facing changes
None
Backwards-incompatible changes
Should be none