diff --git a/IPython/html/static/base/js/security.js b/IPython/html/static/base/js/security.js
new file mode 100644
index 0000000..583ba0f
--- /dev/null
+++ b/IPython/html/static/base/js/security.js
@@ -0,0 +1,52 @@
+//----------------------------------------------------------------------------
+// Copyright (C) 2014 The IPython Development Team
+//
+// Distributed under the terms of the BSD License. The full license is in
+// the file COPYING, distributed as part of this software.
+//----------------------------------------------------------------------------
+
+//============================================================================
+// Utilities
+//============================================================================
+IPython.namespace('IPython.security');
+
+IPython.security = (function (IPython) {
+ "use strict";
+
+ var utils = IPython.utils;
+
+ var is_safe = function (html) {
+ // Is the html string safe against JavaScript based attacks. This
+ // detects 1) black listed tags, 2) blacklisted attributes, 3) all
+ // event attributes (onhover, onclick, etc.).
+ var black_tags = ['script', 'style'];
+ var black_attrs = ['style'];
+ var wrapped_html = ''+html+'
';
+ var e = $(wrapped_html);
+ var safe = true;
+ // Detect black listed tags
+ $.map(black_tags, function (tag, index) {
+ if (e.find(tag).length > 0) {
+ safe = false;
+ }
+ });
+ // Detect black listed attributes
+ $.map(black_attrs, function (attr, index) {
+ if (e.find('['+attr+']').length > 0) {
+ safe = false;
+ }
+ });
+ e.find('*').each(function (index) {
+ $.map(utils.get_attr_names($(this)), function (attr, index) {
+ if (attr.match('^on')) {safe = false;}
+ });
+ })
+ return safe;
+ }
+
+ return {
+ is_safe: is_safe
+ };
+
+}(IPython));
+
diff --git a/IPython/html/static/base/js/utils.js b/IPython/html/static/base/js/utils.js
index cfd138b..3b59a10 100644
--- a/IPython/html/static/base/js/utils.js
+++ b/IPython/html/static/base/js/utils.js
@@ -488,6 +488,15 @@ IPython.utils = (function (IPython) {
}
}
+ var get_attr_names = function (e) {
+ // Get the names of all the HTML attributes of the element e.
+ var el = $(e)[0];
+ var arr = [];
+ for (var i=0, attrs=el.attributes, l=attrs.length; i>>>>>> 8e23f06... Adding security.js with 1st attempt at is_safe.
/**
* Construct a new TextCell, codemirror mode is by default 'htmlmixed', and cell type is 'text'
diff --git a/IPython/html/templates/notebook.html b/IPython/html/templates/notebook.html
index 104d4e3..687a288 100644
--- a/IPython/html/templates/notebook.html
+++ b/IPython/html/templates/notebook.html
@@ -318,6 +318,7 @@ class="notebook_app"
+