From 00ae43e26c01f253ca9474c0c7e4a0cfc59c0976 Mon Sep 17 00:00:00 2001 From: Nicola Tarocco <ntarocco@gmail.com> Date: Thu, 14 Sep 2023 09:32:26 +0200 Subject: [PATCH] ipynb: sanitize HTML using Invenio allowed tags --- invenio_previewer/extensions/ipynb.py | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/invenio_previewer/extensions/ipynb.py b/invenio_previewer/extensions/ipynb.py index 64e87a1..cbbfa67 100644 --- a/invenio_previewer/extensions/ipynb.py +++ b/invenio_previewer/extensions/ipynb.py @@ -12,9 +12,10 @@ import os import nbformat -from flask import render_template +from flask import current_app, render_template from invenio_i18n import gettext as _ from nbconvert import HTMLExporter +from traitlets.config import Config from ..proxies import current_previewer @@ -36,7 +37,12 @@ def render(file): except nbformat.reader.NotJSONError: return _("Error: Not a ipynb/json file"), {} - html_exporter = HTMLExporter(embed_images=True, sanitize_html=True) + c = Config() + c.HTMLExporter.preprocessors = ["nbconvert.preprocessors.sanitize.SanitizeHTML"] + c.SanitizeHTML.tags = current_app.config.get("ALLOWED_HTML_TAGS", []) + c.SanitizeHTML.attributes = current_app.config.get("ALLOWED_HTML_ATTRS", {}) + c.SanitizeHTML.strip = True + html_exporter = HTMLExporter(config=c, embed_images=True) html_exporter.template_file = "base" body, resources = html_exporter.from_notebook_node(notebook) return body, resources -- GitLab