Merge branch 'v1.9.6'

2026-03-20 02:26:12 +00:00 · 2016-02-11 17:56:16 +01:00 · 2016-02-11 17:56:16 +01:00 · c91a76f212
commit c91a76f212
parent 621b137285 9413a611a9
2 changed files with 14 additions and 10 deletions
--- a/previewer_jupyter/indico_previewer_jupyter/controllers.py
+++ b/previewer_jupyter/indico_previewer_jupyter/controllers.py
@ -14,6 +14,8 @@
 # You should have received a copy of the GNU General Public License
 # along with Indico; if not, see <http://www.gnu.org/licenses/>.

+from uuid import uuid4
+
 import nbformat
 from flask import session, render_template, request, current_app
 from nbconvert.exporters import HTMLExporter
@ -40,7 +42,7 @@ class RHEventPreviewIPyNB(RH):
    def _process(self):
        config = Config()
        config.HTMLExporter.preprocessors = [CppHighlighter]
-        config.HTMLExporter.template_file = 'full'
+        config.HTMLExporter.template_file = 'basic'

        with self.attachment.file.open() as f:
            notebook = nbformat.read(f, as_version=4)
@ -49,12 +51,13 @@ class RHEventPreviewIPyNB(RH):
        body, resources = html_exporter.from_notebook_node(notebook)
        css_code = '\n'.join(resources['inlining'].get('css', []))

+        nonce = str(uuid4())
        html = render_template('previewer_jupyter:ipynb_preview.html', attachment=self.attachment,
-                               html_code=body, css_code=css_code)
+                               html_code=body, css_code=css_code, nonce=nonce)

        response = current_app.response_class(html)
        # Use CSP to restrict access to possibly malicious scripts or inline JS
-        csp_header = "script-src cdn.mathjax.org cdnjs.cloudflare.com 'unsafe-eval';"
+        csp_header = "script-src cdn.mathjax.org cdnjs.cloudflare.com 'nonce-{}';".format(nonce)
        response.headers['Content-Security-Policy'] = csp_header
        response.headers['X-Webkit-CSP'] = csp_header
        # IE10 doesn't have proper CSP support, so we need to be more strict
--- a/previewer_jupyter/indico_previewer_jupyter/templates/ipynb_preview.html
+++ b/previewer_jupyter/indico_previewer_jupyter/templates/ipynb_preview.html
@ -5,9 +5,11 @@
        <style>
            {{ css_code }}
        </style>
-        <script src="https://cdn.mathjax.org/mathjax/latest/MathJax.js?config=TeX-AMS_HTML"></script>
-        <script type="text/x-mathjax-config">
-            MathJax.Hub.Config({
+    </head>
+    <body>
+        {{ html_code | safe }}
+        <script type="text/javascript" nonce="{{ nonce }}">
+            var MathJax = {
                tex2jax: {
                    inlineMath: [ ['$','$'], ["\\(","\\)"] ],
                    displayMath: [ ['$$','$$'], ["\\[","\\]"] ],
@ -21,10 +23,9 @@
                    styles: {'.MathJax_Display': {"margin": 0}},
                    linebreaks: { automatic: true }
                }
-            });
+            };
+        </script>
+        <script src="https://cdn.mathjax.org/mathjax/latest/MathJax.js?config=TeX-AMS_HTML">
        </script>
-    </head>
-    <body>
-        {{ html_code | safe }}
    </body>
 </html>