Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
nbdime provides tools for diffing and merging of Jupyter Notebooks. It appears that when reading the file name and path from disk, the extension does not sanitize the string it constructs before returning it to be displayed.