From 3ab41641cf6fce3860c73d5cf4645aa12e1e5892 Mon Sep 17 00:00:00 2001
From: Matthias Bussonnier <bussonniermatthias@gmail.com>
Date: Tue, 1 Sep 2015 16:29:25 +0200
Subject: [PATCH] Fix XSS reported on Security list
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

No CVE-ID yet

August 18, 2015
-----
Reported to Quantopian by Juan Broullón <thebrowfc@gmail.com>...

If you create a new folder in the iPython file browser and set
Javascript code as its name the code injected will be executed. So, if I
create a folder called "><img src=x onerror=alert(document.cookie)> and
then I access to it, the cookies will be prompted.

The XSS code is also executed if you access a link pointing directly at
the folder.

  jik
------
---
 IPython/html/notebookapp.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/IPython/html/notebookapp.py b/IPython/html/notebookapp.py
index 0464144..094812b 100644
--- a/IPython/html/notebookapp.py
+++ b/IPython/html/notebookapp.py
@@ -158,7 +158,9 @@ def init_settings(self, ipython_app, kernel_manager, contents_manager,
             _template_path = (_template_path,)
         template_path = [os.path.expanduser(path) for path in _template_path]
 
-        jenv_opt = jinja_env_options if jinja_env_options else {}
+        jenv_opt = {"autoescape": True}
+        jenv_opt.update(jinja_env_options if jinja_env_options else {})
+
         env = Environment(loader=FileSystemLoader(template_path), **jenv_opt)
         
         sys_info = get_sys_info()