From a6702a2a6d4becad0c9e083b900a2878c10dc3d4 2014-03-04 00:10:18
From: MinRK <benjaminrk@gmail.com>
Date: 2014-03-04 00:10:18
Subject: [PATCH] don't populate sanitized.safe by default

since it's potentially expensive.

walk nodes in is_safe

---

diff --git a/IPython/html/static/base/js/security.js b/IPython/html/static/base/js/security.js
index 7fb44c5..ef52947 100644
--- a/IPython/html/static/base/js/security.js
+++ b/IPython/html/static/base/js/security.js
@@ -92,11 +92,6 @@ IPython.security = (function (IPython) {
         };
 
         result.sanitized = caja.sanitizeWithPolicy(html, policy);
-        // caja can strip whole elements without logging,
-        // so double-check that node structure didn't change
-        if (result.safe) {
-            result.safe = cmp_tree($(result.sanitized), $(result.src));
-        }
         return result;
     };
     
@@ -107,7 +102,14 @@ IPython.security = (function (IPython) {
     
     var is_safe = function (html) {
         // just return bool for whether an HTML string is safe
-        return sanitize(html).safe;
+        var result = sanitize(html);
+        
+        // caja can strip whole elements without logging,
+        // so double-check that node structure didn't change
+        if (result.safe) {
+            result.safe = cmp_tree($(result.sanitized), $(html));
+        }
+        return result.safe;
     };
     
     return {