Escape invalid host when displayed in html

Author: manics

jupyter_server_proxy/handlers.py

@@ -16,6 +16,7 @@
 from jupyter_server.utils import ensure_async, url_path_join
 from simpervisor import SupervisedProcess
 from tornado import httpclient, httputil, web
+from tornado.escape import xhtml_escape
 from tornado.simple_httpclient import SimpleAsyncHTTPClient
 from traitlets import Bytes, Dict, Instance, Integer, Unicode, Union, default, observe
 from traitlets.traitlets import HasTraits
@@ -327,7 +328,7 @@ async def proxy(self, host, port, proxied_path):
             self.write(
                 "Host '{host}' is not allowed. "
                 "See https://jupyter-server-proxy.readthedocs.io/en/latest/arbitrary-ports-hosts.html for info.".format(
-                    host=host
+                    host=xhtml_escape(host)
                 )
             )
             return

tests/test_proxies.py

@@ -255,6 +255,14 @@ def test_server_proxy_host_absolute(a_server_port_and_token: Tuple[int, str]) ->
     assert "X-Proxycontextpath" not in s
 
 
+def test_server_proxy_host_invalid(a_server_port_and_token: Tuple[int, str]) -> None:
+    PORT, TOKEN = a_server_port_and_token
+    r = request_get(PORT, "/proxy/absolute/<invalid>:54321/", TOKEN)
+    assert r.code == 403
+    s = r.read().decode("ascii")
+    assert s.startswith("Host '&lt;invalid&gt;' is not allowed.")
+
+
 def test_server_proxy_port_non_service_rewrite_response(
     a_server_port_and_token: Tuple[int, str]
 ) -> None: