Correct escaping in other templates we distribute.

dev_mode/templates/error.html

@@ -8,7 +8,7 @@ Distributed under the terms of the Modified BSD License.
 <head>
   <meta charset="utf-8">
 
-  <title>{% block title %}{{page_title}}{% endblock %}</title>
+  <title>{% block title %}{{page_title | escape}}{% endblock %}</title>
 
   {% block favicon %}<link rel="shortcut icon" type="image/x-icon" href="/static/base/images/favicon.ico">{% endblock %}
 
@@ -30,7 +30,7 @@ div#header, div#site {
     {% block h1_error %}
     <h2>JupyterLab assets not detected, please rebuild</h2>
     <script>
-    console.error('Missing assets in "{{static_dir}}"');
+    console.error('Missing assets in "{{static_dir | escape}}"');
     </script>
     {% endblock h1_error %}
 </header>

examples/app/templates/error.html

@@ -8,7 +8,7 @@ Distributed under the terms of the Modified BSD License.
 <head>
   <meta charset="utf-8">
 
-  <title>{% block title %}{{page_title}}{% endblock %}</title>
+  <title>{% block title %}{{page_title | e}}{% endblock %}</title>
 
   {% block favicon %}<link rel="shortcut icon" type="image/x-icon" href="/static/base/images/favicon.ico">{% endblock %}
 
@@ -28,13 +28,13 @@ div#header, div#site {
 
 <div class="error">
     {% block h1_error %}
-    <h1>{{status_code}} : {{status_message}}</h1>
+    <h1>{{status_code | e}} : {{status_message | e}}</h1>
     {% endblock h1_error %}
     {% block error_detail %}
     {% if message %}
     <p>The error was:</p>
     <div class="traceback-wrapper">
-    <pre class="traceback">{{message}}</pre>
+    <pre class="traceback">{{message | e}}</pre>
     </div>
     {% endif %}
     {% endblock %}
@@ -48,7 +48,7 @@ window.onload = function () {
   var tb = document.getElementsByClassName('traceback')[0];
   tb.scrollTop = tb.scrollHeight;
   {% if message %}
-  console.error("{{message}}")
+  console.error("{{message | e}}")
   {% endif %}
 };
 </script>

examples/app/templates/index.html

@@ -1,17 +1,19 @@
 <!DOCTYPE html>
 <html>
 <head>
-  <title>{{page_config['appName']}}</title>
+  <title>{{page_config['appName'] | e}}</title>
 </head>
 <body>
-  <script id='jupyter-config-data' type="application/json">{
-  {% for key, value in page_config.items() -%}
-  "{{ key }}": "{{ value }}",
-  {% endfor -%}
-  "baseUrl": "{{base_url}}",
-  "wsUrl": "{{ws_url}}"
- }</script>
-  <script src="{{page_config['fullStaticUrl']}}/bundle.js" main="index"></script>
+    {# Copy so we do not modify the page_config with updates. #}
+    {% set page_config_full = page_config.copy() %}
+    
+    {# Set a dummy variable - we just want the side effect of the update. #}
+    {% set _ = page_config_full.update(baseUrl=base_url, wsUrl=ws_url) %}
+    
+      <script id="jupyter-config-data" type="application/json">
+        {{ page_config_full | tojson }}
+      </script>
+  <script src="{{page_config['fullStaticUrl'] | e}}/bundle.js" main="index"></script>
 
   <script type="text/javascript">
     /* Remove token from URL. */

examples/cell/index.html

@@ -5,11 +5,12 @@
     <script type="text/javascript" src="https://cdn.mathjax.org/mathjax/latest/MathJax.js?config=TeX-AMS_CHTML-full,Safe&amp;delayStartupUntil=configured"></script>
   </head>
   <body>
-    <script id='jupyter-config-data' type="application/json">{
-        "baseUrl": "{{base_url}}",
-        "token": "{{token}}"
-    }</script>
-    <script src="{{base_url}}example/bundle.js"></script>
+      {% set page_config_full = {'baseUrl': base_url, 'token': token} %}
+      
+        <script id="jupyter-config-data" type="application/json">
+          {{ page_config_full | tojson }}
+        </script>
+    <script src="{{base_url | e}}example/bundle.js"></script>
 
     <script type="text/javascript">
       /* Remove token from URL. */

examples/console/index.html

@@ -5,11 +5,13 @@
     <script type="text/javascript" src="https://cdn.mathjax.org/mathjax/latest/MathJax.js?config=TeX-AMS_CHTML-full,Safe&amp;delayStartupUntil=configured"></script>
   </head>
   <body>
-    <script id='jupyter-config-data' type="application/json">{
-        "baseUrl": "{{base_url}}",
-        "token": "{{token}}"
-    }</script>
-    <script src="{{base_url}}example/bundle.js"></script>
+    {% set page_config_full = {'baseUrl': base_url, 'token': token} %}
+    
+    <script id="jupyter-config-data" type="application/json">
+      {{ page_config_full | tojson }}
+    </script>
+  
+    <script src="{{base_url | e}}example/bundle.js"></script>
 
     <script type="text/javascript">
       /* Remove token from URL. */

examples/filebrowser/index.html

@@ -4,11 +4,13 @@
     <title>FileBrowser Demo</title>
   </head>
   <body>
-    <script id='jupyter-config-data' type="application/json">{
-        "baseUrl": "{{base_url}}",
-        "token": "{{token}}"
-    }</script>
-    <script src="{{base_url}}example/bundle.js"></script>
+    {% set page_config_full = {'baseUrl': base_url, 'token': token} %}
+    
+    <script id="jupyter-config-data" type="application/json">
+      {{ page_config_full | tojson }}
+    </script>
+  
+    <script src="{{base_url | e}}example/bundle.js"></script>
 
     <script type="text/javascript">
       /* Remove token from URL. */

examples/notebook/index.html

@@ -7,7 +7,7 @@
     <script id='jupyter-config-data' type="application/json">
       {{ config_data|tojson }}
     </script>
-    <script src="{{config_data['frontendUrl']}}bundle.js"></script>
+    <script src="{{config_data['frontendUrl'] | e}}bundle.js"></script>
 
     <script type="text/javascript">
       /* Remove token from URL. */

examples/terminal/index.html

@@ -4,12 +4,13 @@
     <title>Terminal Demo</title>
   </head>
   <body>
-    <script id='jupyter-config-data' type="application/json">{
-      "baseUrl": "{{base_url}}",
-      "terminalsAvailable": "{{terminals_available}}",
-      "token": "{{token}}"
-    }</script>
-    <script src="{{base_url}}example/bundle.js"></script>
+    {% set page_config_full = {'baseUrl': base_url, 'token': token, 'terminalsAvailable': terminals_available} %}
+    
+    <script id="jupyter-config-data" type="application/json">
+      {{ page_config_full | tojson }}
+    </script>
+  
+    <script src="{{base_url | e}}example/bundle.js"></script>
 
     <script type="text/javascript">
       /* Remove token from URL. */

packages/services/examples/browser-require/index.html

@@ -10,7 +10,12 @@
     </style>
   </head>
   <body>
-    <script id='jupyter-config-data' type="application/json">{ "baseUrl": "{{base_url}}" }</script>
+    {% set page_config_full = {'baseUrl': base_url} %}
+  
+    <script id="jupyter-config-data" type="application/json">
+      {{ page_config_full | tojson }}
+    </script>
+  
     <h1>Run code!</h1>
     <p>
       Type code in the text area and click run to execute it.
@@ -33,6 +38,6 @@
         }
     });
     </script>
-    <script src="{{base_url}}example/index.js"></script>
+    <script src="{{base_url | e}}example/index.js"></script>
   </body>
 </html>

packages/services/examples/browser/index.html

@@ -5,8 +5,13 @@
     <script src="https://cdnjs.cloudflare.com/ajax/libs/require.js/2.2.0/require.js"></script>
   </head>
   <body>
-    <script id='jupyter-config-data' type="application/json">{ "baseUrl": "{{base_url}}" }</script>
-    <script src="{{base_url}}example/bundle.js"></script>
+    {% set page_config_full = {'baseUrl': base_url} %}
+
+    <script id="jupyter-config-data" type="application/json">
+      {{ page_config_full | tojson }}
+    </script>
+  
+    <script src="{{base_url | e}}example/bundle.js"></script>
     <pre id='output'></pre>
   </body>
 </html>

packages/services/examples/typescript-browser-with-output/index.html

@@ -5,8 +5,13 @@
     <script src="https://cdnjs.cloudflare.com/ajax/libs/require.js/2.2.0/require.js"></script>
   </head>
   <body>
-    <script id='jupyter-config-data' type="application/json">{ "baseUrl": "{{base_url}}" }</script>
-    <script src="{{base_url}}example/bundle.js"></script>
+    {% set page_config_full = {'baseUrl': base_url} %}
+
+    <script id="jupyter-config-data" type="application/json">
+      {{ page_config_full | tojson }}
+    </script>
+
+    <script src="{{base_url | e}}example/bundle.js"></script>
     <span id='outputarea'></span>
   </body>
 </html>