FileLink: escape HTML unsafe characters from path

ciupicri · ciupicri · commit 4fbe14d8643d · 2018-03-28T15:30:45.000+03:00
path could contain HTML unsafe characters such as &amp;, ', " or even &lt; and
&gt; on Unix, so they should be escaped before putting it into HTML code
both as text and the href attribute.
diff --git a/IPython/lib/display.py b/IPython/lib/display.py
@@ -2,6 +2,7 @@
 
 Authors : MinRK, gregcaporaso, dannystaple
 """
+from html import escape as html_escape
 from os.path import exists, isfile, splitext, abspath, join, isdir
 from os import walk, sep, fsdecode
 
@@ -340,9 +341,10 @@ def __init__(self,
         self.result_html_suffix = result_html_suffix
 
     def _format_path(self):
-        fp = ''.join([self.url_prefix,self.path])
+        fp = ''.join([self.url_prefix, html_escape(self.path)])
         return ''.join([self.result_html_prefix,
-                        self.html_link_str % (fp, self.path),
+                        self.html_link_str % \
+                            (fp, html_escape(self.path, quote=False)),
                         self.result_html_suffix])
 
     def _repr_html_(self):
