diff --git a/nbconvert/exporters/tests/files/notebook_inject.ipynb b/nbconvert/exporters/tests/files/notebook_inject.ipynb
index 8f3c8dd53..bfd2163cd 100644
--- a/nbconvert/exporters/tests/files/notebook_inject.ipynb
+++ b/nbconvert/exporters/tests/files/notebook_inject.ipynb
@@ -136,6 +136,44 @@
}
],
"source": [""]
+ },
+ {
+ "cell_type": "code",
+ "execution_count": null,
+ "id": "d72e635a",
+ "metadata": {},
+ "outputs": [
+ {
+ "output_type": "execute_result",
+ "data": {
+ "image/png": ["abcd"]
+ },
+ "execution_count": null,
+ "metadata": {
+ "width": ">"
+ }
+ }
+ ],
+ "source": [""]
+ },
+ {
+ "cell_type": "code",
+ "execution_count": null,
+ "id": "d72e635a",
+ "metadata": {},
+ "outputs": [
+ {
+ "output_type": "execute_result",
+ "data": {
+ "image/png": ["abcd"]
+ },
+ "execution_count": null,
+ "metadata": {
+ "height": ">"
+ }
+ }
+ ],
+ "source": [""]
}
],
"metadata": {
diff --git a/nbconvert/exporters/tests/test_html.py b/nbconvert/exporters/tests/test_html.py
index d870ea302..72c57f4fc 100644
--- a/nbconvert/exporters/tests/test_html.py
+++ b/nbconvert/exporters/tests/test_html.py
@@ -163,3 +163,7 @@ def test_javascript_injection(self):
# Check injection in image data
assert "" not in output
assert "" not in output
+
+ # Check injection in image width/height
+ assert "" not in output
+ assert "" not in output
diff --git a/share/jupyter/nbconvert/templates/classic/base.html.j2 b/share/jupyter/nbconvert/templates/classic/base.html.j2
index 70f87f274..ebc11ae13 100644
--- a/share/jupyter/nbconvert/templates/classic/base.html.j2
+++ b/share/jupyter/nbconvert/templates/classic/base.html.j2
@@ -162,18 +162,18 @@ unknown type {{ cell.type }}
{%- endif %}
{%- set width=output | get_metadata('width', 'image/png') -%}
{%- if width is not none %}
-width={{ width }}
+width={{ width | escape_html }}
{%- endif %}
{%- set height=output | get_metadata('height', 'image/png') -%}
{%- if height is not none %}
-height={{ height }}
+height={{ height | escape_html }}
{%- endif %}
{%- if output | get_metadata('unconfined', 'image/png') %}
class="unconfined"
{%- endif %}
{%- set alttext=(output | get_metadata('alt', 'image/png')) or (cell | get_metadata('alt')) -%}
{%- if alttext is not none %}
-alt="{{ alttext }}"
+alt="{{ alttext | escape_html }}"
{%- endif %}
>
@@ -188,18 +188,18 @@ alt="{{ alttext }}"
{%- endif %}
{%- set width=output | get_metadata('width', 'image/jpeg') -%}
{%- if width is not none %}
-width={{ width }}
+width={{ width | escape_html }}
{%- endif %}
{%- set height=output | get_metadata('height', 'image/jpeg') -%}
{%- if height is not none %}
-height={{ height }}
+height={{ height | escape_html }}
{%- endif %}
{%- if output | get_metadata('unconfined', 'image/jpeg') %}
class="unconfined"
{%- endif %}
{%- set alttext=(output | get_metadata('alt', 'image/jpeg')) or (cell | get_metadata('alt')) -%}
{%- if alttext is not none %}
-alt="{{ alttext }}"
+alt="{{ alttext | escape_html }}"
{%- endif %}
>
diff --git a/share/jupyter/nbconvert/templates/lab/base.html.j2 b/share/jupyter/nbconvert/templates/lab/base.html.j2
index 37df56e04..0180bbac0 100644
--- a/share/jupyter/nbconvert/templates/lab/base.html.j2
+++ b/share/jupyter/nbconvert/templates/lab/base.html.j2
@@ -180,11 +180,11 @@ unknown type {{ cell.type }}
{%- endif %}
{%- set width=output | get_metadata('width', 'image/png') -%}
{%- if width is not none %}
-width={{ width }}
+width={{ width | escape_html }}
{%- endif %}
{%- set height=output | get_metadata('height', 'image/png') -%}
{%- if height is not none %}
-height={{ height }}
+height={{ height | escape_html }}
{%- endif %}
class="
{%- if output | get_metadata('unconfined', 'image/png') %}
@@ -210,11 +210,11 @@ jp-needs-dark-background
{%- endif %}
{%- set width=output | get_metadata('width', 'image/jpeg') -%}
{%- if width is not none %}
-width={{ width }}
+width={{ width | escape_html }}
{%- endif %}
{%- set height=output | get_metadata('height', 'image/jpeg') -%}
{%- if height is not none %}
-height={{ height }}
+height={{ height | escape_html }}
{%- endif %}
class="
{%- if output | get_metadata('unconfined', 'image/jpeg') %}