From 4f924b42660450c17bc10d724369fa1b92d9ab06 2014-03-04 00:10:18
From: MinRK <benjaminrk@gmail.com>
Date: 2014-03-04 00:10:18
Subject: [PATCH] sanitize untrusted HTML output
rather than checking is_safe
---
diff --git a/IPython/html/static/notebook/js/outputarea.js b/IPython/html/static/notebook/js/outputarea.js
index 84634aa..e057b07 100644
--- a/IPython/html/static/notebook/js/outputarea.js
+++ b/IPython/html/static/notebook/js/outputarea.js
@@ -490,13 +490,13 @@ var IPython = (function (IPython) {
var type = OutputArea.display_order[type_i];
var append = OutputArea.append_map[type];
if ((json[type] !== undefined) && append) {
+ var value = json[type];
if (!this.trusted && !OutputArea.safe_outputs[type]) {
- // not trusted show warning and do not display
- var is_safe = false;
+ // not trusted, sanitize HTML
if (type==='text/html' || type==='text/svg') {
- is_safe = IPython.security.is_safe(json[type]);
- }
- if (!is_safe) {
+ value = IPython.security.sanitize_html(value);
+ } else {
+ // warn and don't display if we don't know how to sanitize it
var content = {
text : "Untrusted " + type + " output ignored.",
stream : "stderr"
@@ -506,8 +506,8 @@ var IPython = (function (IPython) {
}
}
var md = json.metadata || {};
- var toinsert = append.apply(this, [json[type], md, element]);
- $([IPython.events]).trigger('output_appended.OutputArea', [type, json[type], md, toinsert]);
+ var toinsert = append.apply(this, [value, md, element]);
+ $([IPython.events]).trigger('output_appended.OutputArea', [type, value, md, toinsert]);
return true;
}
}