##// END OF EJS Templates
Make comm manager (mostly) independent of InteractiveShell...
Make comm manager (mostly) independent of InteractiveShell This makes it possible to use comms from wrapper kernels, without instantiating the full IPython shell machinery. The one remaining place where we need a reference to shell is to fire pre_execute and post_execute hooks (which are needed to get mpl figures right). This is a pure IPythonism, that it should be safe to ignore if shell is not set.

File last commit:

r15653:f66c0b63
r17964:a59dfd02
Show More
security.js
56 lines | 2.4 KiB | application/javascript | JavascriptLexer
Brian E. Granger
Adding first round of security tests of is_safe.
r15635 safe_tests = [
"<p>Hi there</p>",
'<h1 class="foo">Hi There!</h1>',
MinRK
check trust of data-attributes in sanitization
r15642 '<a data-cite="foo">citation</a>',
MinRK
testing for sanitize
r15646 '<div><span>Hi There</span></div>',
Brian E. Granger
Adding first round of security tests of is_safe.
r15635 ];
unsafe_tests = [
"<script>alert(999);</script>",
'<a onmouseover="alert(999)">999</a>',
'<a onmouseover=alert(999)>999</a>',
'<IMG """><SCRIPT>alert("XSS")</SCRIPT>">',
'<IMG SRC=# onmouseover="alert(999)">',
'<<SCRIPT>alert(999);//<</SCRIPT>',
'<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >',
'<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">',
'<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert(999);">',
'<IFRAME SRC="javascript:alert(999);"></IFRAME>',
'<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>',
'<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>',
MinRK
remove security.is_safe
r15653 // CSS is scrubbed
'<style src="http://untrusted/style.css"></style>',
'<style>div#notebook { background-color: alert-red; }</style>',
'<div style="background-color: alert-red;"></div>',
Brian E. Granger
Adding first round of security tests of is_safe.
r15635 ];
MinRK
remove security.is_safe
r15653 var truncate = function (s, n) {
// truncate a string with an ellipsis
if (s.length > n) {
return s.substr(0, n-3) + '...';
} else {
return s;
}
};
Brian E. Granger
Adding first round of security tests of is_safe.
r15635 casper.notebook_test(function () {
this.each(safe_tests, function (self, item) {
MinRK
sanitize CSS...
r15651 var sanitized = self.evaluate(function (item) {
return IPython.security.sanitize_html(item);
}, item);
MinRK
remove security.is_safe
r15653 // string equality may be too strict, but it works for now
this.test.assertEquals(sanitized, item, "Safe: '" + truncate(item, 32) + "'");
Brian E. Granger
Adding first round of security tests of is_safe.
r15635 });
MinRK
remove security.is_safe
r15653
Brian E. Granger
Adding first round of security tests of is_safe.
r15635 this.each(unsafe_tests, function (self, item) {
MinRK
testing for sanitize
r15646 var sanitized = self.evaluate(function (item) {
return IPython.security.sanitize_html(item);
}, item);
MinRK
remove security.is_safe
r15653
this.test.assertNotEquals(sanitized, item,
"Sanitized: '" + truncate(item, 32) +
"' => '" + truncate(sanitized, 32) + "'"
);
this.test.assertEquals(sanitized.indexOf("alert"), -1, "alert removed");
Brian E. Granger
Adding first round of security tests of is_safe.
r15635 });
});