##// END OF EJS Templates
fix access to png width and height in nbconvert html basic template
fix access to png width and height in nbconvert html basic template

File last commit:

r15653:f66c0b63
r19893:3996b0e5
Show More
security.js
56 lines | 2.4 KiB | application/javascript | JavascriptLexer
Brian E. Granger
Adding first round of security tests of is_safe.
r15635 safe_tests = [
"<p>Hi there</p>",
'<h1 class="foo">Hi There!</h1>',
MinRK
check trust of data-attributes in sanitization
r15642 '<a data-cite="foo">citation</a>',
MinRK
testing for sanitize
r15646 '<div><span>Hi There</span></div>',
Brian E. Granger
Adding first round of security tests of is_safe.
r15635 ];
unsafe_tests = [
"<script>alert(999);</script>",
'<a onmouseover="alert(999)">999</a>',
'<a onmouseover=alert(999)>999</a>',
'<IMG """><SCRIPT>alert("XSS")</SCRIPT>">',
'<IMG SRC=# onmouseover="alert(999)">',
'<<SCRIPT>alert(999);//<</SCRIPT>',
'<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >',
'<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">',
'<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert(999);">',
'<IFRAME SRC="javascript:alert(999);"></IFRAME>',
'<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>',
'<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>',
MinRK
remove security.is_safe
r15653 // CSS is scrubbed
'<style src="http://untrusted/style.css"></style>',
'<style>div#notebook { background-color: alert-red; }</style>',
'<div style="background-color: alert-red;"></div>',
Brian E. Granger
Adding first round of security tests of is_safe.
r15635 ];
MinRK
remove security.is_safe
r15653 var truncate = function (s, n) {
// truncate a string with an ellipsis
if (s.length > n) {
return s.substr(0, n-3) + '...';
} else {
return s;
}
};
Brian E. Granger
Adding first round of security tests of is_safe.
r15635 casper.notebook_test(function () {
this.each(safe_tests, function (self, item) {
MinRK
sanitize CSS...
r15651 var sanitized = self.evaluate(function (item) {
return IPython.security.sanitize_html(item);
}, item);
MinRK
remove security.is_safe
r15653 // string equality may be too strict, but it works for now
this.test.assertEquals(sanitized, item, "Safe: '" + truncate(item, 32) + "'");
Brian E. Granger
Adding first round of security tests of is_safe.
r15635 });
MinRK
remove security.is_safe
r15653
Brian E. Granger
Adding first round of security tests of is_safe.
r15635 this.each(unsafe_tests, function (self, item) {
MinRK
testing for sanitize
r15646 var sanitized = self.evaluate(function (item) {
return IPython.security.sanitize_html(item);
}, item);
MinRK
remove security.is_safe
r15653
this.test.assertNotEquals(sanitized, item,
"Sanitized: '" + truncate(item, 32) +
"' => '" + truncate(sanitized, 32) + "'"
);
this.test.assertEquals(sanitized.indexOf("alert"), -1, "alert removed");
Brian E. Granger
Adding first round of security tests of is_safe.
r15635 });
});