From 9413a611a96cbbd664a27dcafd85982492d00d37 Mon Sep 17 00:00:00 2001
From: Pedro Ferreira <pedro.ferreira@cern.ch>
Date: Thu, 11 Feb 2016 16:23:14 +0100
Subject: [PATCH] Make MathJax work without unsafe-eval

Once again, possible XSS attack vector.
---
 .../indico_previewer_jupyter/controllers.py       |  9 ++++++---
 .../templates/ipynb_preview.html                  | 15 ++++++++-------
 2 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/previewer_jupyter/indico_previewer_jupyter/controllers.py b/previewer_jupyter/indico_previewer_jupyter/controllers.py
index 7e4c7b2..0f1631c 100644
--- a/previewer_jupyter/indico_previewer_jupyter/controllers.py
+++ b/previewer_jupyter/indico_previewer_jupyter/controllers.py
@@ -14,6 +14,8 @@
 # You should have received a copy of the GNU General Public License
 # along with Indico; if not, see <http://www.gnu.org/licenses/>.
 
+from uuid import uuid4
+
 import nbformat
 from flask import session, render_template, request, current_app
 from nbconvert.exporters import HTMLExporter
@@ -40,7 +42,7 @@ class RHEventPreviewIPyNB(RH):
     def _process(self):
         config = Config()
         config.HTMLExporter.preprocessors = [CppHighlighter]
-        config.HTMLExporter.template_file = 'full'
+        config.HTMLExporter.template_file = 'basic'
 
         with self.attachment.file.open() as f:
             notebook = nbformat.read(f, as_version=4)
@@ -49,12 +51,13 @@ class RHEventPreviewIPyNB(RH):
         body, resources = html_exporter.from_notebook_node(notebook)
         css_code = '\n'.join(resources['inlining'].get('css', []))
 
+        nonce = str(uuid4())
         html = render_template('previewer_jupyter:ipynb_preview.html', attachment=self.attachment,
-                               html_code=body, css_code=css_code)
+                               html_code=body, css_code=css_code, nonce=nonce)
 
         response = current_app.response_class(html)
         # Use CSP to restrict access to possibly malicious scripts or inline JS
-        csp_header = "script-src cdn.mathjax.org cdnjs.cloudflare.com 'unsafe-eval';"
+        csp_header = "script-src cdn.mathjax.org cdnjs.cloudflare.com 'nonce-{}';".format(nonce)
         response.headers['Content-Security-Policy'] = csp_header
         response.headers['X-Webkit-CSP'] = csp_header
         # IE10 doesn't have proper CSP support, so we need to be more strict
diff --git a/previewer_jupyter/indico_previewer_jupyter/templates/ipynb_preview.html b/previewer_jupyter/indico_previewer_jupyter/templates/ipynb_preview.html
index b61c782..1a2228e 100644
--- a/previewer_jupyter/indico_previewer_jupyter/templates/ipynb_preview.html
+++ b/previewer_jupyter/indico_previewer_jupyter/templates/ipynb_preview.html
@@ -5,9 +5,11 @@
         <style>
             {{ css_code }}
         </style>
-        <script src="https://cdn.mathjax.org/mathjax/latest/MathJax.js?config=TeX-AMS_HTML"></script>
-        <script type="text/x-mathjax-config">
-            MathJax.Hub.Config({
+    </head>
+    <body>
+        {{ html_code | safe }}
+        <script type="text/javascript" nonce="{{ nonce }}">
+            var MathJax = {
                 tex2jax: {
                     inlineMath: [ ['$','$'], ["\\(","\\)"] ],
                     displayMath: [ ['$$','$$'], ["\\[","\\]"] ],
@@ -21,10 +23,9 @@
                     styles: {'.MathJax_Display': {"margin": 0}},
                     linebreaks: { automatic: true }
                 }
-            });
+            };
+        </script>
+        <script src="https://cdn.mathjax.org/mathjax/latest/MathJax.js?config=TeX-AMS_HTML">
         </script>
-    </head>
-    <body>
-        {{ html_code | safe }}
     </body>
 </html>