##// END OF EJS Templates
upstream » ipython
RSS

Clone from https://github.com/ipython/ipython.git

Backport PR #5459: Fix interact animation page jump FF...
Backport PR #5459: Fix interact animation page jump FF Firefox doesn't render images immediately as the data is available. When animating the way that we animate, this causes the output area to collapse quickly before returning to its original size. When the output area collapses, FireFox scrolls upwards in attempt to compensate for the lost vertical content (so it looks like you are on the same spot in the page, with respect to the contents below the image's prior location). The solution is to resize the image output after the `img onload` event has fired. This PR: - Releases the `clear_output` height lock after the image has been loaded (instead of immediately or using a timeout). - Removes a `setTimeout` call in the `append_output` method. - `clear_output` in zmqshell no longer sends `\r` to the stream outputs. closes #5128
MinRK - - Load All Authors

File last commit:

r15670:90ccff54
r16229:ff1462d3
Show More
security.js
126 lines | 4.2 KiB | application/javascript | JavascriptLexer
/ IPython / html / static / base / js / security.js
History | Source | Raw |Copy content |Copy permalink
Brian E. Granger
Adding security.js with 1st attempt at is_safe.
 r15632 //----------------------------------------------------------------------------
// Copyright (C) 2014 The IPython Development Team
//
// Distributed under the terms of the BSD License. The full license is in
// the file COPYING, distributed as part of this software.
//----------------------------------------------------------------------------
//============================================================================
// Utilities
//============================================================================
IPython.namespace('IPython.security');
IPython.security = (function (IPython) {
"use strict";
var utils = IPython.utils;
MinRK
use google-caja for sanitization
 r15636
var noop = function (x) { return x; };
MinRK
wrap caja.sanitizeAttribs to trust data-* attributes
 r15641 var caja;
if (window && window.html) {
caja = window.html;
caja.html4 = window.html4;
MinRK
sanitize CSS...
 r15651 caja.sanitizeStylesheet = window.sanitizeStylesheet;
MinRK
wrap caja.sanitizeAttribs to trust data-* attributes
 r15641 }
var sanitizeAttribs = function (tagName, attribs, opt_naiveUriRewriter, opt_nmTokenPolicy, opt_logger) {
MinRK
security.js docstrings
 r15670 // add trusting data-attributes to the default sanitizeAttribs from caja
// this function is mostly copied from the caja source
MinRK
wrap caja.sanitizeAttribs to trust data-* attributes
 r15641 var ATTRIBS = caja.html4.ATTRIBS;
for (var i = 0; i < attribs.length; i += 2) {
var attribName = attribs[i];
if (attribName.substr(0,5) == 'data-') {
var attribKey = '*::' + attribName;
if (!ATTRIBS.hasOwnProperty(attribKey)) {
ATTRIBS[attribKey] = 0;
}
}
}
return caja.sanitizeAttribs(tagName, attribs, opt_naiveUriRewriter, opt_nmTokenPolicy, opt_logger);
};
MinRK
sanitize CSS...
 r15651 var sanitize_css = function (css, tagPolicy) {
MinRK
security.js docstrings
 r15670 // sanitize CSS
// like sanitize_html, but for CSS
// called by sanitize_stylesheets
MinRK
sanitize CSS...
 r15651 return caja.sanitizeStylesheet(
window.location.pathname,
css,
{
containerClass: null,
idSuffix: '',
tagPolicy: tagPolicy,
virtualizeAttrName: noop
},
noop
);
};
var sanitize_stylesheets = function (html, tagPolicy) {
MinRK
security.js docstrings
 r15670 // sanitize just the css in style tags in a block of html
// called by sanitize_html, if allow_css is true
MinRK
sanitize CSS...
 r15651 var h = $("<div/>").append(html);
var style_tags = h.find("style");
if (!style_tags.length) {
// no style tags to sanitize
return html;
}
style_tags.each(function(i, style) {
style.innerHTML = sanitize_css(style.innerHTML, tagPolicy);
});
return h.html();
};
MinRK
remove struct-returning sanitize...
 r15654 var sanitize_html = function (html, allow_css) {
MinRK
use google-caja for sanitization
 r15636 // sanitize HTML
MinRK
remove struct-returning sanitize...
 r15654 // if allow_css is true (default: false), CSS is sanitized as well.
MinRK
sanitize CSS...
 r15651 // otherwise, CSS elements and attributes are simply removed.
var html4 = caja.html4;
if (allow_css) {
// allow sanitization of style tags,
// not just scrubbing
html4.ELEMENTS.style &= ~html4.eflags.UNSAFE;
html4.ATTRIBS.style = html4.atype.STYLE;
} else {
// scrub all CSS
html4.ELEMENTS.style |= html4.eflags.UNSAFE;
html4.ATTRIBS.style = html4.atype.SCRIPT;
}
MinRK
use google-caja for sanitization
 r15636 var record_messages = function (msg, opts) {
console.log("HTML Sanitizer", msg, opts);
};
MinRK
wrap caja.sanitizeAttribs to trust data-* attributes
 r15641
var policy = function (tagName, attribs) {
if (!(html4.ELEMENTS[tagName] & html4.eflags.UNSAFE)) {
return {
'attribs': sanitizeAttribs(tagName, attribs,
noop, noop, record_messages)
};
} else {
record_messages(tagName + " removed", {
change: "removed",
tagName: tagName
});
}
};
MinRK
sanitize CSS...
 r15651
MinRK
remove struct-returning sanitize...
 r15654 var sanitized = caja.sanitizeWithPolicy(html, policy);
MinRK
sanitize CSS...
 r15651
if (allow_css) {
// sanitize style tags as stylesheets
MinRK
remove struct-returning sanitize...
 r15654 sanitized = sanitize_stylesheets(result.sanitized, policy);
MinRK
sanitize CSS...
 r15651 }
MinRK
remove struct-returning sanitize...
 r15654 return sanitized;
MinRK
use google-caja for sanitization
 r15636 };
Brian E. Granger
Adding security.js with 1st attempt at is_safe.
 r15632 return {
MinRK
sanitize CSS...
 r15651 caja: caja,
MinRK
use google-caja for sanitization
 r15636 sanitize_html: sanitize_html
Brian E. Granger
Adding security.js with 1st attempt at is_safe.
 r15632 };
}(IPython));