Convert input to string prior to escape HTML

martinRenou · SylvainCorlay · commit bef65d7ab2a4 · 2022-08-09T14:31:09.000+02:00
diff --git a/nbconvert/exporters/templateexporter.py b/nbconvert/exporters/templateexporter.py
@@ -40,13 +40,6 @@
 )
 
 
-def escape_html(s, quote=True):
-    if not isinstance(s, str):
-        return s
-    else:
-        return html.escape(s)
-
-
 default_filters = {
     "indent": filters.indent,
     "markdown2html": filters.markdown2html,
@@ -78,7 +71,7 @@ def escape_html(s, quote=True):
     "convert_pandoc": filters.convert_pandoc,
     "json_dumps": json.dumps,
     # For removing any HTML
-    "escape_html": escape_html,
+    "escape_html": lambda s: html.escape(str(s)),
     # For sanitizing HTML for any XSS
     "clean_html": clean_html,
     "strip_trailing_newline": filters.strip_trailing_newline,
diff --git a/nbconvert/exporters/tests/files/notebook_inject.ipynb b/nbconvert/exporters/tests/files/notebook_inject.ipynb
@@ -156,6 +156,25 @@
     ],
     "source": [""]
    },
+   {
+    "cell_type": "code",
+    "execution_count": null,
+    "id": "d72e095a",
+    "metadata": {},
+    "outputs": [
+      {
+        "output_type": "execute_result",
+        "data": {
+         "image/png": ["abcd"]
+        },
+        "execution_count": null,
+        "metadata": {
+           "width": ["><script>alert('output.metadata.width png injection')</script>"]
+        }
+      }
+    ],
+    "source": [""]
+   },
    {
     "cell_type": "code",
     "execution_count": null,
