From a6702a2a6d4becad0c9e083b900a2878c10dc3d4 2014-03-04 00:10:18 From: MinRK Date: 2014-03-04 00:10:18 Subject: [PATCH] don't populate sanitized.safe by default since it's potentially expensive. walk nodes in is_safe --- diff --git a/IPython/html/static/base/js/security.js b/IPython/html/static/base/js/security.js index 7fb44c5..ef52947 100644 --- a/IPython/html/static/base/js/security.js +++ b/IPython/html/static/base/js/security.js @@ -92,11 +92,6 @@ IPython.security = (function (IPython) { }; result.sanitized = caja.sanitizeWithPolicy(html, policy); - // caja can strip whole elements without logging, - // so double-check that node structure didn't change - if (result.safe) { - result.safe = cmp_tree($(result.sanitized), $(result.src)); - } return result; }; @@ -107,7 +102,14 @@ IPython.security = (function (IPython) { var is_safe = function (html) { // just return bool for whether an HTML string is safe - return sanitize(html).safe; + var result = sanitize(html); + + // caja can strip whole elements without logging, + // so double-check that node structure didn't change + if (result.safe) { + result.safe = cmp_tree($(result.sanitized), $(html)); + } + return result.safe; }; return {