upstream/ipython Commit - r15650:0688b20a

1

safe_tests = [

1

safe_tests = [

2

"<p>Hi there</p>",

2

"<p>Hi there</p>",

3

'<h1 class="foo">Hi There!</h1>',

3

'<h1 class="foo">Hi There!</h1>',

4

'<a data-cite="foo">citation</a>',

4

'<a data-cite="foo">citation</a>',

5

'<div><span>Hi There</span></div>',

5

'<div><span>Hi There</span></div>',

6

];

6

];

7

8

unsafe_tests = [

8

unsafe_tests = [

9

"<script>alert(999);</script>",

9

"<script>alert(999);</script>",

10

'<a onmouseover="alert(999)">999</a>',

10

'<a onmouseover="alert(999)">999</a>',

11

'<a onmouseover=alert(999)>999</a>',

11

'<a onmouseover=alert(999)>999</a>',

12

'<IMG """><SCRIPT>alert("XSS")</SCRIPT>">',

12

'<IMG """><SCRIPT>alert("XSS")</SCRIPT>">',

13

'<IMG SRC=# onmouseover="alert(999)">',

13

'<IMG SRC=# onmouseover="alert(999)">',

14

'<<SCRIPT>alert(999);//<</SCRIPT>',

14

'<<SCRIPT>alert(999);//<</SCRIPT>',

15

'<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >',

15

'<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >',

16

'<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">',

16

'<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">',

17

'<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert(999);">',

17

'<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert(999);">',

18

'<IFRAME SRC="javascript:alert(999);"></IFRAME>',

18

'<IFRAME SRC="javascript:alert(999);"></IFRAME>',

19

'<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>',

19

'<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>',

20

'<style type="text/css">div.foo { background: #ffff; }</style>',

20

'<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>',

21

'<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>',

21

];

22

];

22

23

casper.notebook_test(function () {

24

casper.notebook_test(function () {

24

this.each(safe_tests, function (self, item) {

25

this.each(safe_tests, function (self, item) {

25

var is_safe = self.evaluate(function (item) {

26

var is_safe = self.evaluate(function (item) {

26

return IPython.security.is_safe(item);

27

return IPython.security.is_safe(item);

27

}, item);

28

}, item);

28

this.test.assert(is_safe, "Safe: " + item);

29

this.test.assert(is_safe, "Safe: " + item);

29

});

30

});

30

this.each(unsafe_tests, function (self, item) {

31

this.each(unsafe_tests, function (self, item) {

31

var is_safe = self.evaluate(function (item) {

32

var is_safe = self.evaluate(function (item) {

32

return IPython.security.is_safe(item);

33

return IPython.security.is_safe(item);

33

}, item);

34

}, item);

34

this.test.assert(!is_safe, "Unsafe: " + item);

35

this.test.assert(!is_safe, "Unsafe: " + item);

35

var sanitized = self.evaluate(function (item) {

36

var sanitized = self.evaluate(function (item) {

36

return IPython.security.sanitize_html(item);

37

return IPython.security.sanitize_html(item);

37

}, item);

38

}, item);

38

this.test.assertEquals(sanitized.indexOf("alert"), -1, "Sanitized " + item);

39

this.test.assertEquals(sanitized.indexOf("alert"), -1, "Sanitized " + item);

39

});

40

});

40

}); No newline at end of file

41

});

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

             safe_tests = [
                 "<p>Hi there</p>",
                 '<h1 class="foo">Hi There!</h1>',
                 '<a data-cite="foo">citation</a>',
                 '<div><span>Hi There</span></div>',
             ];
             unsafe_tests = [
                 "<script>alert(999);</script>",
                 '<a onmouseover="alert(999)">999</a>',
                 '<a onmouseover=alert(999)>999</a>',
                 '<IMG """><SCRIPT>alert("XSS")</SCRIPT>">',
                 '<IMG SRC=# onmouseover="alert(999)">',
                 '<<SCRIPT>alert(999);//<</SCRIPT>',
                 '<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >',
                 '<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">',
                 '<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert(999);">',
                 '<IFRAME SRC="javascript:alert(999);"></IFRAME>',
                 '<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>',
+                '<style type="text/css">div.foo { background: #ffff; }</style>',
                 '<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>',
             ];
             casper.notebook_test(function () {
                 this.each(safe_tests, function (self, item) {
                     var is_safe = self.evaluate(function (item) {
                         return IPython.security.is_safe(item);
                     }, item);
                     this.test.assert(is_safe, "Safe: " + item);
                 });
                 this.each(unsafe_tests, function (self, item) {
                     var is_safe = self.evaluate(function (item) {
                         return IPython.security.is_safe(item);
                     }, item);
                     this.test.assert(!is_safe, "Unsafe: " + item);
                     var sanitized = self.evaluate(function (item) {
                         return IPython.security.sanitize_html(item);
                     }, item);
                     this.test.assertEquals(sanitized.indexOf("alert"), -1, "Sanitized " + item);
                 });
             });