From 00ae43e26c01f253ca9474c0c7e4a0cfc59c0976 Mon Sep 17 00:00:00 2001
From: Nicola Tarocco <ntarocco@gmail.com>
Date: Thu, 14 Sep 2023 09:32:26 +0200
Subject: [PATCH] ipynb: sanitize HTML using Invenio allowed tags

---
 invenio_previewer/extensions/ipynb.py | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/invenio_previewer/extensions/ipynb.py b/invenio_previewer/extensions/ipynb.py
index 64e87a1..cbbfa67 100644
--- a/invenio_previewer/extensions/ipynb.py
+++ b/invenio_previewer/extensions/ipynb.py
@@ -12,9 +12,10 @@
 import os
 
 import nbformat
-from flask import render_template
+from flask import current_app, render_template
 from invenio_i18n import gettext as _
 from nbconvert import HTMLExporter
+from traitlets.config import Config
 
 from ..proxies import current_previewer
 
@@ -36,7 +37,12 @@ def render(file):
     except nbformat.reader.NotJSONError:
         return _("Error: Not a ipynb/json file"), {}
 
-    html_exporter = HTMLExporter(embed_images=True, sanitize_html=True)
+    c = Config()
+    c.HTMLExporter.preprocessors = ["nbconvert.preprocessors.sanitize.SanitizeHTML"]
+    c.SanitizeHTML.tags = current_app.config.get("ALLOWED_HTML_TAGS", [])
+    c.SanitizeHTML.attributes = current_app.config.get("ALLOWED_HTML_ATTRS", {})
+    c.SanitizeHTML.strip = True
+    html_exporter = HTMLExporter(config=c, embed_images=True)
     html_exporter.template_file = "base"
     body, resources = html_exporter.from_notebook_node(notebook)
     return body, resources
-- 
GitLab