gordonwoodhull
commented
4 years ago The notebook tree is safe here - the issue was in the recent notebooks list, so it actually couldn't affect other users.
The safe way to load such text is using the web framework's text input instead of html input, in this case
.append($desc = $('<span class="description"></span>').text(desc))instead of
.append($desc = $('<span class="description">'+desc+'</span>'))(also .text() vs .html() in D3)
It is possible to put a JS payload into a notebook title.
Once this happens, any refresh to the notebook tree causes the JS to run.
We need to sanitize notebook titles so that this doesn't happen.