Merge commit from fork

dmadisetti · web-flow · commit b2f7e9bcfa3e · 2025-10-21T13:54:35.000-04:00
diff --git a/marimo/_server/templates/templates.py b/marimo/_server/templates/templates.py
@@ -24,11 +24,24 @@
 MOUNT_CONFIG_TEMPLATE = "'{{ mount_config }}'"
 
 
+_json_script_escapes = {
+    ord(">"): "\\u003E",
+    ord("<"): "\\u003C",
+    ord("&"): "\\u0026",
+}
+
+
 def _html_escape(text: str) -> str:
     """Escape HTML special characters."""
     return html.escape(text, quote=True)
 
 
+def json_script(data: Any) -> str:
+    # See https://github.com/django/django/blob/main/django/utils/html.py#L88C1-L92C2
+    # Only escape values that can break out of a script tag
+    return json.dumps(data, sort_keys=True).translate(_json_script_escapes)
+
+
 def _get_mount_config(
     *,
     filename: Optional[str],
@@ -79,7 +92,7 @@ def _get_mount_config(
             "runtimeConfig": {runtime_config},
         }}
 """.format(
-        **{k: json.dumps(v, sort_keys=True) for k, v in options.items()}
+        **{k: json_script(v) for k, v in options.items()}
     ).strip()
 
 
@@ -258,7 +271,7 @@ def static_notebook_template(
         f"""
     <script data-marimo="true">
         window.__MARIMO_STATIC__ = {{}};
-        window.__MARIMO_STATIC__.files = {json.dumps(files)};
+        window.__MARIMO_STATIC__.files = {json_script(files)};
     </script>
     """
     )
diff --git a/tests/_server/templates/test_templates.py b/tests/_server/templates/test_templates.py
@@ -701,6 +701,119 @@ def test_static_notebook_template_with_nonexistent_custom_css(
         assert "<style title='marimo-custom'>" not in result
         _assert_no_leftover_replacements(result)
 
+    def test_static_files_injection_prevention(self) -> None:
+        """Test that malicious content in files dict doesn't enable script breakout."""
+        # Test with malicious file keys and values
+        malicious_files = {
+            "normal.txt": "safe content",
+            "</script><script>alert(1)</script>": "content",
+            "file.js": "</script><img src=x onerror=alert(1)>",
+            "test&<>.py": "content with <script>alert(1)</script>",
+        }
+
+        result = templates.static_notebook_template(
+            self.html,
+            self.user_config,
+            self.config_overrides,
+            self.server_token,
+            self.app_config,
+            self.filepath,
+            self.code,
+            hash_code(self.code),
+            self.session_snapshot,
+            self.notebook_snapshot,
+            malicious_files,
+        )
+
+        # Must not contain unescaped script breakout sequences (< and > escaped)
+        assert "</script><script>alert(1)" not in result
+        assert "<img" not in result  # The < should be escaped
+
+        # Must contain escaped versions of < and >
+        assert "\\u003C" in result or "\\u003E" in result
+
+        # Must still be valid HTML
+        _assert_no_leftover_replacements(result)
+
+    def test_static_malicious_filename_injection(self) -> None:
+        """Test that malicious filenames in static exports are properly escaped."""
+        malicious_filepath = self.tmp_path / "</script><script>alert(1)</script>.py"
+
+        result = templates.static_notebook_template(
+            self.html,
+            self.user_config,
+            self.config_overrides,
+            self.server_token,
+            self.app_config,
+            str(malicious_filepath),
+            self.code,
+            hash_code(self.code),
+            self.session_snapshot,
+            self.notebook_snapshot,
+            self.files,
+        )
+
+        # Must not contain unescaped script tags
+        assert "</script><script>" not in result
+        assert "<script>alert(1)" not in result.replace("\\u003Cscript\\u003E", "")
+
+        # Must contain escaped versions in JSON context
+        assert "\\u003C" in result or "\\u003E" in result
+
+        _assert_no_leftover_replacements(result)
+
+    def test_static_malicious_code_content(self) -> None:
+        """Test that malicious code content is properly escaped in static export."""
+        malicious_code = """
+import marimo as mo
+# This code contains </script><script>alert('XSS')</script>
+mo.md("<img src=x onerror=alert(1)>")
+"""
+
+        # Create session with malicious code in output
+        malicious_session = NotebookSessionV1(
+            version=VERSION,
+            metadata=NotebookSessionMetadata(marimo_version="0.1.0"),
+            cells=[
+                Cell(
+                    cell_id="cell1",
+                    code=malicious_code,
+                    outputs=[
+                        DataOutput(
+                            channel="output",
+                            mimetype="text/html",
+                            data="</script><script>alert(1)</script>",
+                            timestamp=0.0,
+                        )
+                    ],
+                    console=[],
+                )
+            ],
+        )
+
+        result = templates.static_notebook_template(
+            self.html,
+            self.user_config,
+            self.config_overrides,
+            self.server_token,
+            self.app_config,
+            self.filepath,
+            malicious_code,
+            hash_code(malicious_code),
+            malicious_session,
+            self.notebook_snapshot,
+            self.files,
+        )
+
+        # The malicious code itself should be in JSON context (escaped)
+        # Must not have unescaped dangerous sequences in script tags (< and > escaped)
+        assert "</script><script>alert('XSS')" not in result
+
+        # Must have escaped versions of < and >
+        assert "\\u003C" in result or "\\u003E" in result
+
+        _assert_no_leftover_replacements(result)
+
 
 class TestWasmNotebookTemplate(unittest.TestCase):
     def setUp(self) -> None:
diff --git a/tests/_server/test_templates_filename.py b/tests/_server/test_templates_filename.py
