##// END OF EJS Templates
upstream » ipython
RSS

Clone from https://github.com/ipython/ipython.git

semantic names for indicator icons...
semantic names for indicator icons For all of the discussion that we had about what kind of icons should and should not be used to indicate what mode the notebook is in, we never went through to make it possible to override it. With this change, it is now possible to override what icons are displayed for Command and Edit Modes. For example, @minrk liked the fighter-jet icon for Command Mode, so he can put this in his custom.css .ipython-command-mode:before { content: "\f0fb"; }
MinRK - - Load All Authors

File last commit:

r15653:f66c0b63
r15806:6b3b303a
Show More
security.js
56 lines | 2.4 KiB | application/javascript | JavascriptLexer
/ IPython / html / tests / base / security.js
History | Source | Raw |Copy content |Copy permalink
Brian E. Granger
Adding first round of security tests of is_safe.
 r15635 safe_tests = [
"<p>Hi there</p>",
'<h1 class="foo">Hi There!</h1>',
MinRK
check trust of data-attributes in sanitization
 r15642 '<a data-cite="foo">citation</a>',
MinRK
testing for sanitize
 r15646 '<div><span>Hi There</span></div>',
Brian E. Granger
Adding first round of security tests of is_safe.
 r15635 ];
unsafe_tests = [
"<script>alert(999);</script>",
'<a onmouseover="alert(999)">999</a>',
'<a onmouseover=alert(999)>999</a>',
'<IMG """><SCRIPT>alert("XSS")</SCRIPT>">',
'<IMG SRC=# onmouseover="alert(999)">',
'<<SCRIPT>alert(999);//<</SCRIPT>',
'<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >',
'<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">',
'<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert(999);">',
'<IFRAME SRC="javascript:alert(999);"></IFRAME>',
'<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>',
'<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>',
MinRK
remove security.is_safe
 r15653 // CSS is scrubbed
'<style src="http://untrusted/style.css"></style>',
'<style>div#notebook { background-color: alert-red; }</style>',
'<div style="background-color: alert-red;"></div>',
Brian E. Granger
Adding first round of security tests of is_safe.
 r15635 ];
MinRK
remove security.is_safe
 r15653 var truncate = function (s, n) {
// truncate a string with an ellipsis
if (s.length > n) {
return s.substr(0, n-3) + '...';
} else {
return s;
}
};
Brian E. Granger
Adding first round of security tests of is_safe.
 r15635 casper.notebook_test(function () {
this.each(safe_tests, function (self, item) {
MinRK
sanitize CSS...
 r15651 var sanitized = self.evaluate(function (item) {
return IPython.security.sanitize_html(item);
}, item);
MinRK
remove security.is_safe
 r15653 // string equality may be too strict, but it works for now
this.test.assertEquals(sanitized, item, "Safe: '" + truncate(item, 32) + "'");
Brian E. Granger
Adding first round of security tests of is_safe.
 r15635 });
MinRK
remove security.is_safe
 r15653
Brian E. Granger
Adding first round of security tests of is_safe.
 r15635 this.each(unsafe_tests, function (self, item) {
MinRK
testing for sanitize
 r15646 var sanitized = self.evaluate(function (item) {
return IPython.security.sanitize_html(item);
}, item);
MinRK
remove security.is_safe
 r15653
this.test.assertNotEquals(sanitized, item,
"Sanitized: '" + truncate(item, 32) +
"' => '" + truncate(sanitized, 32) + "'"
);
this.test.assertEquals(sanitized.indexOf("alert"), -1, "alert removed");
Brian E. Granger
Adding first round of security tests of is_safe.
 r15635 });
});