##// END OF EJS Templates
Added test
Added test

File last commit:

r15670:90ccff54
r16413:6c026c76
Show More
security.js
126 lines | 4.2 KiB | application/javascript | JavascriptLexer
Brian E. Granger
Adding security.js with 1st attempt at is_safe.
r15632 //----------------------------------------------------------------------------
// Copyright (C) 2014 The IPython Development Team
//
// Distributed under the terms of the BSD License. The full license is in
// the file COPYING, distributed as part of this software.
//----------------------------------------------------------------------------
//============================================================================
// Utilities
//============================================================================
IPython.namespace('IPython.security');
IPython.security = (function (IPython) {
"use strict";
var utils = IPython.utils;
MinRK
use google-caja for sanitization
r15636
var noop = function (x) { return x; };
MinRK
wrap caja.sanitizeAttribs to trust data-* attributes
r15641 var caja;
if (window && window.html) {
caja = window.html;
caja.html4 = window.html4;
MinRK
sanitize CSS...
r15651 caja.sanitizeStylesheet = window.sanitizeStylesheet;
MinRK
wrap caja.sanitizeAttribs to trust data-* attributes
r15641 }
var sanitizeAttribs = function (tagName, attribs, opt_naiveUriRewriter, opt_nmTokenPolicy, opt_logger) {
MinRK
security.js docstrings
r15670 // add trusting data-attributes to the default sanitizeAttribs from caja
// this function is mostly copied from the caja source
MinRK
wrap caja.sanitizeAttribs to trust data-* attributes
r15641 var ATTRIBS = caja.html4.ATTRIBS;
for (var i = 0; i < attribs.length; i += 2) {
var attribName = attribs[i];
if (attribName.substr(0,5) == 'data-') {
var attribKey = '*::' + attribName;
if (!ATTRIBS.hasOwnProperty(attribKey)) {
ATTRIBS[attribKey] = 0;
}
}
}
return caja.sanitizeAttribs(tagName, attribs, opt_naiveUriRewriter, opt_nmTokenPolicy, opt_logger);
};
MinRK
sanitize CSS...
r15651 var sanitize_css = function (css, tagPolicy) {
MinRK
security.js docstrings
r15670 // sanitize CSS
// like sanitize_html, but for CSS
// called by sanitize_stylesheets
MinRK
sanitize CSS...
r15651 return caja.sanitizeStylesheet(
window.location.pathname,
css,
{
containerClass: null,
idSuffix: '',
tagPolicy: tagPolicy,
virtualizeAttrName: noop
},
noop
);
};
var sanitize_stylesheets = function (html, tagPolicy) {
MinRK
security.js docstrings
r15670 // sanitize just the css in style tags in a block of html
// called by sanitize_html, if allow_css is true
MinRK
sanitize CSS...
r15651 var h = $("<div/>").append(html);
var style_tags = h.find("style");
if (!style_tags.length) {
// no style tags to sanitize
return html;
}
style_tags.each(function(i, style) {
style.innerHTML = sanitize_css(style.innerHTML, tagPolicy);
});
return h.html();
};
MinRK
remove struct-returning sanitize...
r15654 var sanitize_html = function (html, allow_css) {
MinRK
use google-caja for sanitization
r15636 // sanitize HTML
MinRK
remove struct-returning sanitize...
r15654 // if allow_css is true (default: false), CSS is sanitized as well.
MinRK
sanitize CSS...
r15651 // otherwise, CSS elements and attributes are simply removed.
var html4 = caja.html4;
if (allow_css) {
// allow sanitization of style tags,
// not just scrubbing
html4.ELEMENTS.style &= ~html4.eflags.UNSAFE;
html4.ATTRIBS.style = html4.atype.STYLE;
} else {
// scrub all CSS
html4.ELEMENTS.style |= html4.eflags.UNSAFE;
html4.ATTRIBS.style = html4.atype.SCRIPT;
}
MinRK
use google-caja for sanitization
r15636 var record_messages = function (msg, opts) {
console.log("HTML Sanitizer", msg, opts);
};
MinRK
wrap caja.sanitizeAttribs to trust data-* attributes
r15641
var policy = function (tagName, attribs) {
if (!(html4.ELEMENTS[tagName] & html4.eflags.UNSAFE)) {
return {
'attribs': sanitizeAttribs(tagName, attribs,
noop, noop, record_messages)
};
} else {
record_messages(tagName + " removed", {
change: "removed",
tagName: tagName
});
}
};
MinRK
sanitize CSS...
r15651
MinRK
remove struct-returning sanitize...
r15654 var sanitized = caja.sanitizeWithPolicy(html, policy);
MinRK
sanitize CSS...
r15651
if (allow_css) {
// sanitize style tags as stylesheets
MinRK
remove struct-returning sanitize...
r15654 sanitized = sanitize_stylesheets(result.sanitized, policy);
MinRK
sanitize CSS...
r15651 }
MinRK
remove struct-returning sanitize...
r15654 return sanitized;
MinRK
use google-caja for sanitization
r15636 };
Brian E. Granger
Adding security.js with 1st attempt at is_safe.
r15632 return {
MinRK
sanitize CSS...
r15651 caja: caja,
MinRK
use google-caja for sanitization
r15636 sanitize_html: sanitize_html
Brian E. Granger
Adding security.js with 1st attempt at is_safe.
r15632 };
}(IPython));