For .ipynb, rendered embedded images
What does this MR do and why?
Jupyter Notebooks often include outputs as embedded images as base64, which in many are important for a proper code review. They can be large (mb size), so since we were not rendering them we started hiding the output (!87669 (merged)), but this MR changes that by actually displaying the image
Screenshots or screen recordings
Before | After |
---|---|
![]() |
![]() |
Security Concerns
This generates an image where the content comes from user generated content. The images are embedded as base64, in the format data:image/base64;data
, which are added to the src attribute of the img tag, being a vector for XSS injection. A malicious actor can create a diff with a vulnerability, that can render html or triggering a js call simply by opening the page. To avoid that, we are escaping html entities from the embedded image.
How to set up and validate locally
- Make sure the flag is enabled
Feature.enable(:ipynb_semantic_diffs)
- On your GDK, navigate to a commit that contains a notebook (eg
https://<your-gdk>/gitlab-org/gitlab-test/-/commit/5d6ed1503801ca9dc28e95eeb85a7cf863527aee#56a47b92c949c701e3e7c1a10675e8dc8b66ee4a_68_56
) - Check if the images are displayed in the diff
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.