upstream/ipython Files · IPython/html/tests/base/security.js

Merge pull request from minrk/windows-typo...

Merge pull request from minrk/windows-typo fix Windows typo

MinRK - - Load All Authors

File last commit:

r15653:f66c0b63


                r18543:500b543a

Download file

             security.js
        
                    56 lines
            
             | 2.4 KiB
            
                | application/javascript
            
             |
                JavascriptLexer
            
             / IPython / html / tests / base / security.js
          
                    History
                
                 |
                  Source
                 | Raw
                 |Copy content
                 |Copy permalink

        Brian E. Granger
    
Adding first round of security tests of is_safe.

              r15635
            
      safe_tests = [

          "<p>Hi there</p>",

          '<h1 class="foo">Hi There!</h1>',

        MinRK
    
check trust of data-attributes in sanitization

              r15642
            
          '<a data-cite="foo">citation</a>',

        MinRK
    
testing for sanitize

              r15646
            
          '<div><span>Hi There</span></div>',

        Brian E. Granger
    
Adding first round of security tests of is_safe.

              r15635
            
      ];

      unsafe_tests = [

          "<script>alert(999);</script>",

          '<a onmouseover="alert(999)">999</a>',

          '<a onmouseover=alert(999)>999</a>',

          '<IMG """><SCRIPT>alert("XSS")</SCRIPT>">',

          '<IMG SRC=# onmouseover="alert(999)">',

          '<<SCRIPT>alert(999);//<</SCRIPT>',

          '<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >',

          '<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">',

          '<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert(999);">',

          '<IFRAME SRC="javascript:alert(999);"></IFRAME>',

          '<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>',

          '<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>',

        MinRK
    
remove security.is_safe

              r15653
            
          // CSS is scrubbed

          '<style src="http://untrusted/style.css"></style>',

          '<style>div#notebook { background-color: alert-red; }</style>',

          '<div style="background-color: alert-red;"></div>',

        Brian E. Granger
    
Adding first round of security tests of is_safe.

              r15635
            
      ];

        MinRK
    
remove security.is_safe

              r15653
            
      var truncate = function (s, n) {

          // truncate a string with an ellipsis

          if (s.length > n) {

              return s.substr(0, n-3) + '...';

          } else {

              return s;

          }

      };

        Brian E. Granger
    
Adding first round of security tests of is_safe.

              r15635
            
      casper.notebook_test(function () {

          this.each(safe_tests, function (self, item) {

        MinRK
    
sanitize CSS...

              r15651
            
              var sanitized = self.evaluate(function (item) {

                  return IPython.security.sanitize_html(item);

              }, item);

        MinRK
    
remove security.is_safe

              r15653
            
              // string equality may be too strict, but it works for now

              this.test.assertEquals(sanitized, item, "Safe: '" + truncate(item, 32) + "'");

        Brian E. Granger
    
Adding first round of security tests of is_safe.

              r15635
            
          });

        MinRK
    
remove security.is_safe

              r15653
            
        Brian E. Granger
    
Adding first round of security tests of is_safe.

              r15635
            
          this.each(unsafe_tests, function (self, item) {

        MinRK
    
testing for sanitize

              r15646
            
              var sanitized = self.evaluate(function (item) {

                  return IPython.security.sanitize_html(item);

              }, item);

        MinRK
    
remove security.is_safe

              r15653
            
              this.test.assertNotEquals(sanitized, item, 

                  "Sanitized: '" + truncate(item, 32) + 

                  "' => '" + truncate(sanitized, 32) + "'"

              );

              this.test.assertEquals(sanitized.indexOf("alert"), -1, "alert removed");

        Brian E. Granger
    
Adding first round of security tests of is_safe.

              r15635
            
          });

      });

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

Brian E. Granger Adding first round of security tests of is_safe.	r15635	safe_tests = [
		"<p>Hi there</p>",
		'<h1 class="foo">Hi There!</h1>',
MinRK check trust of data-attributes in sanitization	r15642	'<a data-cite="foo">citation</a>',
MinRK testing for sanitize	r15646	'<div><span>Hi There</span></div>',
Brian E. Granger Adding first round of security tests of is_safe.	r15635	];

		unsafe_tests = [
		"<script>alert(999);</script>",
		'<a onmouseover="alert(999)">999</a>',
		'<a onmouseover=alert(999)>999</a>',
		'<IMG """><SCRIPT>alert("XSS")</SCRIPT>">',
		'<IMG SRC=# onmouseover="alert(999)">',
		'<<SCRIPT>alert(999);//<</SCRIPT>',
		'<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >',
		'<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">',
		'<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert(999);">',
		'<IFRAME SRC="javascript:alert(999);"></IFRAME>',
		'<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>',
		'<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>',
MinRK remove security.is_safe	r15653	// CSS is scrubbed
		'<style src="http://untrusted/style.css"></style>',
		'<style>div#notebook { background-color: alert-red; }</style>',
		'<div style="background-color: alert-red;"></div>',
Brian E. Granger Adding first round of security tests of is_safe.	r15635	];

MinRK remove security.is_safe	r15653	var truncate = function (s, n) {
		// truncate a string with an ellipsis
		if (s.length > n) {
		return s.substr(0, n-3) + '...';
		} else {
		return s;
		}
		};

Brian E. Granger Adding first round of security tests of is_safe.	r15635	casper.notebook_test(function () {
		this.each(safe_tests, function (self, item) {
MinRK sanitize CSS...	r15651	var sanitized = self.evaluate(function (item) {
		return IPython.security.sanitize_html(item);
		}, item);

MinRK remove security.is_safe	r15653	// string equality may be too strict, but it works for now
		this.test.assertEquals(sanitized, item, "Safe: '" + truncate(item, 32) + "'");
Brian E. Granger Adding first round of security tests of is_safe.	r15635	});
MinRK remove security.is_safe	r15653
Brian E. Granger Adding first round of security tests of is_safe.	r15635	this.each(unsafe_tests, function (self, item) {
MinRK testing for sanitize	r15646	var sanitized = self.evaluate(function (item) {
		return IPython.security.sanitize_html(item);
		}, item);
MinRK remove security.is_safe	r15653
		this.test.assertNotEquals(sanitized, item,
		"Sanitized: '" + truncate(item, 32) +
		"' => '" + truncate(sanitized, 32) + "'"
		);
		this.test.assertEquals(sanitized.indexOf("alert"), -1, "alert removed");
Brian E. Granger Adding first round of security tests of is_safe.	r15635	});
		});