security.js
122 lines
| 3.9 KiB
| application/javascript
|
JavascriptLexer
Brian E. Granger
|
r15632 | //---------------------------------------------------------------------------- | ||
// Copyright (C) 2014 The IPython Development Team | ||||
// | ||||
// Distributed under the terms of the BSD License. The full license is in | ||||
// the file COPYING, distributed as part of this software. | ||||
//---------------------------------------------------------------------------- | ||||
//============================================================================ | ||||
// Utilities | ||||
//============================================================================ | ||||
IPython.namespace('IPython.security'); | ||||
IPython.security = (function (IPython) { | ||||
"use strict"; | ||||
var utils = IPython.utils; | ||||
MinRK
|
r15636 | |||
var noop = function (x) { return x; }; | ||||
MinRK
|
r15639 | var cmp_tree = function (a, b) { | ||
// compare two HTML trees | ||||
// only checks the tag structure is preserved, | ||||
// not any attributes or contents | ||||
if (a.length !== b.length) { | ||||
return false; | ||||
} | ||||
for (var i = a.length - 1; i >= 0; i--) { | ||||
if (a[i].tagName && b[i].tagName && a[i].tagName.toLowerCase() != b[i].tagName.toLowerCase()) { | ||||
return false; | ||||
} | ||||
} | ||||
var ac = a.children(); | ||||
var bc = b.children(); | ||||
if (ac.length === 0 && bc.length === 0) { | ||||
return true; | ||||
} | ||||
return cmp_tree(ac, bc); | ||||
}; | ||||
MinRK
|
r15641 | var caja; | ||
if (window && window.html) { | ||||
caja = window.html; | ||||
caja.html4 = window.html4; | ||||
} | ||||
var sanitizeAttribs = function (tagName, attribs, opt_naiveUriRewriter, opt_nmTokenPolicy, opt_logger) { | ||||
// wrap sanitizeAttribs into trusting data-attributes | ||||
var ATTRIBS = caja.html4.ATTRIBS; | ||||
for (var i = 0; i < attribs.length; i += 2) { | ||||
var attribName = attribs[i]; | ||||
if (attribName.substr(0,5) == 'data-') { | ||||
var attribKey = '*::' + attribName; | ||||
if (!ATTRIBS.hasOwnProperty(attribKey)) { | ||||
ATTRIBS[attribKey] = 0; | ||||
} | ||||
} | ||||
} | ||||
return caja.sanitizeAttribs(tagName, attribs, opt_naiveUriRewriter, opt_nmTokenPolicy, opt_logger); | ||||
}; | ||||
MinRK
|
r15636 | var sanitize = function (html, log) { | ||
// sanitize HTML | ||||
// returns a struct of | ||||
// { | ||||
// src: original_html, | ||||
// sanitized: the_sanitized_html, | ||||
// safe: bool // false if the sanitizer made any changes | ||||
// } | ||||
var result = { | ||||
src : html, | ||||
safe : true | ||||
}; | ||||
var record_messages = function (msg, opts) { | ||||
console.log("HTML Sanitizer", msg, opts); | ||||
result.safe = false; | ||||
}; | ||||
MinRK
|
r15641 | |||
var html4 = caja.html4; | ||||
var policy = function (tagName, attribs) { | ||||
if (!(html4.ELEMENTS[tagName] & html4.eflags.UNSAFE)) { | ||||
return { | ||||
'attribs': sanitizeAttribs(tagName, attribs, | ||||
noop, noop, record_messages) | ||||
}; | ||||
} else { | ||||
record_messages(tagName + " removed", { | ||||
change: "removed", | ||||
tagName: tagName | ||||
}); | ||||
} | ||||
}; | ||||
result.sanitized = caja.sanitizeWithPolicy(html, policy); | ||||
MinRK
|
r15636 | return result; | ||
}; | ||||
var sanitize_html = function (html) { | ||||
// shorthand for str-to-str conversion, dropping the struct | ||||
return sanitize(html).sanitized; | ||||
}; | ||||
Brian E. Granger
|
r15632 | var is_safe = function (html) { | ||
MinRK
|
r15636 | // just return bool for whether an HTML string is safe | ||
MinRK
|
r15645 | var result = sanitize(html); | ||
// caja can strip whole elements without logging, | ||||
// so double-check that node structure didn't change | ||||
if (result.safe) { | ||||
result.safe = cmp_tree($(result.sanitized), $(html)); | ||||
} | ||||
return result.safe; | ||||
MinRK
|
r15636 | }; | ||
Brian E. Granger
|
r15632 | return { | ||
MinRK
|
r15636 | is_safe: is_safe, | ||
sanitize: sanitize, | ||||
sanitize_html: sanitize_html | ||||
Brian E. Granger
|
r15632 | }; | ||
}(IPython)); | ||||