Merge branch 'directory-xss'

Author: minrk

docs/source/changelog.rst

@@ -21,6 +21,21 @@ We strongly recommend that you upgrade pip to version 9+ of pip before upgrading
     Use ``pip install pip --upgrade`` to upgrade pip. Check pip version with
     ``pip --version``.
 
+.. _release-5.7.2:
+
+5.7.2
+-----
+
+5.7.2 contains a security fix preventing malicious directory names
+from being able to execute javascript. CVE request pending.
+
+.. _release-5.7.1:
+
+5.7.1
+-----
+
+5.7.1 contains a security fix preventing nbconvert endpoints from executing javascript with access to the server API. CVE request pending.
+
 .. _release-5.7.0:
 
 5.7.0

notebook/static/tree/js/notebooklist.js

@@ -383,18 +383,28 @@ define([
         breadcrumb.empty();
         var list_item = $('<li/>');
         var root_url = utils.url_path_join(that.base_url, '/tree');
-        var root = $('<li/>').append('<a href="' + root_url + '"><i class="fa fa-folder"></i></a>').click(function(e) {
-            // Allow the default browser action when the user holds a modifier (e.g., Ctrl-Click)
-            if(e.altKey || e.metaKey || e.shiftKey) {
-                return true;
-            }
-            var path = '';
-            window.history.pushState({
-                path: path
-            }, 'Home', utils.url_path_join(that.base_url, 'tree'));
-            that.update_location(path);
-            return false;
-        });
+        var root = $('<li/>').append(
+            $("<a/>")
+            .attr('href', root_url)
+            .append(
+                $("<i/>")
+                .addClass('fa fa-folder')
+            )
+            .click(function(e) {
+                // Allow the default browser action when the user holds a modifier (e.g., Ctrl-Click)
+                if(e.altKey || e.metaKey || e.shiftKey) {
+                    return true;
+                }
+                var path = '';
+                window.history.pushState(
+                    {path: path},
+                    'Home',
+                    utils.url_path_join(that.base_url, 'tree')
+                );
+                that.update_location(path);
+                return false;
+            })
+        );
         breadcrumb.append(root);
         var path_parts = [];
         this.notebook_path.split('/').forEach(function(path_part) {
@@ -405,17 +415,24 @@ define([
                 '/tree',
                 utils.encode_uri_components(path)
             );
-            var crumb = $('<li/>').append('<a href="' + url + '">' + path_part + '</a>').click(function(e) {
-                // Allow the default browser action when the user holds a modifier (e.g., Ctrl-Click)
-                if(e.altKey || e.metaKey || e.shiftKey) {
-                    return true;
-                }
-                window.history.pushState({
-                    path: path
-                }, path, url);
-                that.update_location(path);
-                return false;
-            });
+            var crumb = $('<li/>').append(
+                $('<a/>')
+                .attr('href', url)
+                .text(path_part)
+                .click(function(e) {
+                    // Allow the default browser action when the user holds a modifier (e.g., Ctrl-Click)
+                    if(e.altKey || e.metaKey || e.shiftKey) {
+                        return true;
+                    }
+                    window.history.pushState(
+                        {path: path},
+                        path,
+                        url
+                    );
+                    that.update_location(path);
+                    return false;
+                })
+            );
             breadcrumb.append(crumb);
         });
         this.contents.list_contents(that.notebook_path).then(